AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 13 perc 48 másodperc
2022. április 20.

ASB-2022.0093 - [Win][UNIX/Linux] Oracle Database Server: CVSS (Max): 7.2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0093 Oracle Database Server Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Application Express Oracle Database Server Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-21498 CVE-2022-21411 CVE-2022-21410 CVE-2021-41165 CVE-2021-22569 Comment: CVSS (Max): 7.2 CVE-2022-21410 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Application Express, versions prior to 22.1 o Oracle Database Server, versions 12.1.0.2, 19c, 21c [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle Database Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed." [1] CVE-2022-21410 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any Procedure privilege with network access via Oracle Net to compromise the affected system. Successful attacks of this vulnerability can result in takeover of the affected system. Affects: o Oracle Database - Enterprise Edition Sharding 19c CVE-2022-21498 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via multiple protocols to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all the affected system's accessible data. Affects: o Java VM 12.1.0.2, 19c, 21c CVE-2021-41165 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N The supported version that is affected is Prior to 22.1. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise the affected system. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in the affected system, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of the affected system's accessible data as well as unauthorized read access to a subset of the affected system's accessible data. Affects: o Oracle Application Express (CKEditor) Prior to 22.1 CVE-2022-21411 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise the affected system. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of the affected system's accessible data as well as unauthorized read access to a subset of the affected system's accessible data. Affects: o RDBMS Gateway / Generic ODBC Connectivity 12.1.0.2, 19c, 21c CVE-2021-22569 2.8 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L Supported versions that are affected are 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where the affected system executes to compromise the affected system. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of the affected system. Affects: o Oracle Spatial and Graph MapViewer (protobuf-java) 19c, 21c MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9tduNLKJtyKPYoAQg+yA/+MNhuigeabLXrgt7ENtQ9/i8G/Cu+2eTl DLnZ18qlyTODkKh5RX8nQvC30cfqbe1+y9izFb6V7wNNy6ZORYDUHtkrc06KF7ri MJ0IUcmJIuoYjjoCc0Hf5dijz6tO+vF9tmPV09cpipCh1kbPJtr5AXm191DFeEHt xa86NRyW9vETWdlAvZ4VKHkVXJ2BJHpE5trH+kAM3wAlGmxCxQHzzXmSf1R94kG3 vbNEM/QIPhC7Ms/MLmU++vJHJ6SyN8xCgDifMD1qAgxC/UgtDKalyfVJeAP4LIK8 jb+T7tgAysEua3eNsaNxCYBzZ0I114qBUHn/utMaVe26ndh7h68xFC3kGnyvKXWE dJKjO/HGO/N1JGR4uD4tZwuBohC/p6qZJakYV41j62mxcTsOIpC01S42d36yUN17 uVJ+xahSFnEom4JKh93vOOVnwQWGsUrLpYb/uKlAhB+Go1gvqZkqlmfiU2X5KTe8 HGjwbmOpExF5qxkPohG8Vl+J/1hokJkX3JSElThLsHz00zBkyi4Zmp6Z1OctG4Sd /beTz/393a5YyMHCOSoSj9SGwXLFXDs6z/v1Z86JOazI5N9+pcPhDUqtpm1kCMLG qP6pDp8PVfygqaOQuDUd/Hv5wmNjChWbxgNwh2liTlDSsPXPsUos7NqXgv4W4CjD L0+6TcaRAn4= =cXtl -----END PGP SIGNATURE-----
2022. április 20.

ASB-2022.0092 - [Win][UNIX/Linux] Oracle SQL Developer: CVSS (Max): 6.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0092 Oracle SQL Developer Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle SQL Developer Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2021-44832 CVE-2020-13956 Comment: CVSS (Max): 6.6 CVE-2021-44832 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle SQL Developer, versions prior to 21.99 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 2 new security patches for Oracle SQL Developer. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is Prior to 21.4.2. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle SQL Developer. Successful attacks of this vulnerability can result in takeover of Oracle SQL Developer. Affects: o Oracle SQL Developer Prior to 21.4.2 CVE-2020-13956 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N The supported version that is affected is Prior to 21.99. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle SQL Developer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle SQL Developer accessible data. Affects: o Oracle SQL Developer Prior to 21.99 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9qheNLKJtyKPYoAQjLMRAAkxbZr64G0YagiqFadXt7n/EAqULTi7nO TX6Lb6+jHdTxT95JpIWDI1CsGdACEMiGVgrCC9zUP9YpataqqKQYH2aoK/sTHOgz dcHWiY4VoP0pIcqHZWTcT02ulAxTkCfYNG0daRy8NcyK//SWhLhMMkwEs54J+lZz 9y1jqvEgoyrzI+wFJo+zlpx9sqS14rBxpdA7CQ2aBJBtf+vUMorrsvSBB0ngeI2N dL2JvYSNPdFUjDPQmISQucsfGWefIwDyQKxQV2BiJek7F3j/mWZdz8UEfeHoxKe2 WlHxE91/jB/P55tF3cH93l7M8cPfl4UzEUFzS106ovQrrRe6s2pr42rDia20ib+b d9aA+R1BhQ1V0LGPclsu/k/sXhiwWRTUcLOFBoLq6n6g/dYq5Qb46HNFWtzcDndK zh14Zqw0vs0TNPbt2zbloadCmVp3H5FPA6/ujp3yGWJ/KVDSPjZm6n8/MwQA0UGx /5oKj8IirExwc2FPzdIZ6fAMEQd6zXWGfWtaEAiBNBRuLQnJg8kwgAv7TfbVx6ZD A379pO4TYXeHnLrmRI9pxsRYMQWxQPQoX/m422nFCsCO71O5wGcIGPr5n5VfXbvw 7GkfQAwN+5nrGecd354vW6fB9bYt9Q2IQQNIZqkR/2P2Yx93LCoG6VCnLyQ8wbar NuLl4YnREr0= =FhHH -----END PGP SIGNATURE-----
2022. április 20.

ASB-2022.0091 - [Win][UNIX/Linux][Virtual] Oracle Virtualization: CVSS (Max): 9.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0091 Oracle Virtualization Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Secure Global Desktop Oracle VM VirtualBox Operating System: UNIX variants (UNIX, Linux, OSX) Windows Virtualisation Resolution: Patch/Upgrade CVE Names: CVE-2022-21491 CVE-2022-21488 CVE-2022-21487 CVE-2022-21471 CVE-2022-21465 CVE-2021-40438 Comment: CVSS (Max): 9.0 CVE-2021-40438 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Secure Global Desktop, version 5.6 o Oracle VM VirtualBox, versions prior to 6.1.34 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 6 new security patches for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2021-40438 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H The supported version that is affected is 5.6. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Secure Global Desktop. While the vulnerability is in Oracle Secure Global Desktop, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop. Affects: o Oracle Secure Global Desktop 5.6 CVE-2022-21491 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note : This vulnerability applies to Windows systems only. Affects: o Oracle VM VirtualBox Prior to 6.1.34 CVE-2022-21465 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. Affects: o Oracle VM VirtualBox Prior to 6.1.34 CVE-2022-21471 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Affects: o Oracle VM VirtualBox Prior to 6.1.34 CVE-2022-21487 3.8 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. Affects: o Oracle VM VirtualBox Prior to 6.1.34 CVE-2022-21488 3.8 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. Affects: o Oracle VM VirtualBox Prior to 6.1.34 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9omONLKJtyKPYoAQgpsg//Tw/QHWFlHq0bbs+omJ+cDOJM4NbP2wdl 0gROzHSjR+biWfWuXioLtyuIpa64eTQeQYr3zt7r+dEnrN0HLavPuJsIYv/lCQ8e P7LVSa7++S4FJHzUCi2oxYueDbfe7dsvV0nHS/YQHDxqg4SwcvbYqU6vCdqrvHx2 kuOJ9MyPRVlezQhke1WlOMu2YpC4d8B7xJmyewm1jufgw+9LEf5sKvNzpuk8GQ9b 3rHcKMY1A20dccIVnxT6/pMFhExQd2MmbR6uK6S4UdUqGz68kLnuC4s3F13cgRR/ xsSriEu3OuYx6AAcvKE0EQWJ4MeXY1Tf13Qg9e2Uqfb6IDwOCAyVY7B0ek0mLicl pJU3yYDtYwKu9KXEaNCKRvE7GzAkgnRwv78AX8Kxxe+F0rJmTrDzhEKtLEhtveFG bks10LCFecLyMBcZHTQ96qPv87kSQXtW5GP4UznhXxXV9FWQj2f5oWBfZj5JnKT+ bBBl6zFJQDXotIfGopyQZesDWAM47xVT/mFAZPDySQeYwnHcs8O2LDlMqYCeCa7U t5jEeJWbytomndNnu/+zqE7pfON35o64fCaUVvWey6qvTJeciztPp/CzB5oOSdoc 85Np0ZIcN4wakMOFLKuvSvrDaUtD85GpcNd4vAVv5GR6wSrXdIzZwTcT8fUpWjBG MMh3wKW8bSY= =D1wv -----END PGP SIGNATURE-----
2022. április 20.

ASB-2022.0090 - [Win][UNIX/Linux][Appliance][Solaris] Oracle Systems: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0090 Oracle Systems Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Solaris Oracle Solaris Cluster Oracle StorageTek ACSLS Oracle StorageTek Tape Analytics (STA) Oracle ZFS Storage Appliance Kit Oracle Ethernet Switch TOR-72 Oracle Ethernet Switch ES1-24 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Solaris Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-21494 CVE-2022-21493 CVE-2022-21463 CVE-2022-21461 CVE-2022-21446 CVE-2022-21416 CVE-2021-39275 CVE-2021-29425 CVE-2021-2351 CVE-2020-11979 CVE-2020-11022 CVE-2020-9488 CVE-2020-6950 CVE-2020-5421 CVE-2020-1968 CVE-2019-17195 CVE-2019-3740 Comment: CVSS (Max): 9.8 CVE-2021-39275 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Ethernet Switch ES1-24, version 1.3.1 o Oracle Ethernet Switch TOR-72, version 1.2.2 o Oracle Solaris, version 11 o Oracle Solaris Cluster, version 4 o Oracle StorageTek ACSLS, version 8.5.1 o Oracle StorageTek Tape Analytics (STA), version 2.4 o Oracle ZFS Storage Appliance Kit, version 8.8 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 20 new security patches for Oracle Systems. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2019-17195 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Solaris Cluster. Successful attacks of this vulnerability can result in takeover of Oracle Solaris Cluster. Affects: o Oracle Solaris Cluster 4 CVE-2021-39275 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 8.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in takeover of Oracle ZFS Storage Appliance Kit. Affects: o Oracle ZFS Storage Appliance Kit 8.8 CVE-2021-2351 8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H The supported version that is affected is 2.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle StorageTek Tape Analytics (STA). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle StorageTek Tape Analytics (STA), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle StorageTek Tape Analytics (STA). Affects: o Oracle StorageTek ACSLS 8.5.1 o Oracle StorageTek Tape Analytics (STA) 2.4 CVE-2022-21446 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized read access to a subset of Oracle Solaris accessible data. Affects: o Oracle Solaris 11 CVE-2020-11979 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N The supported version that is affected is 2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle StorageTek Tape Analytics (STA). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle StorageTek Tape Analytics (STA) accessible data. Affects: o Oracle StorageTek ACSLS 8.5.1 o Oracle StorageTek Tape Analytics (STA) 2.4 CVE-2020-6950 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N The supported version that is affected is 4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Solaris Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris Cluster accessible data. Affects: o Oracle Solaris Cluster 4 CVE-2020-5421 6.5 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N The supported version that is affected is 8.5.1. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle StorageTek ACSLS. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle StorageTek ACSLS, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle StorageTek ACSLS accessible data as well as unauthorized read access to a subset of Oracle StorageTek ACSLS accessible data. Affects: o Oracle StorageTek ACSLS 8.5.1 CVE-2019-3740 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N The supported version that is affected is 8.5.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle StorageTek ACSLS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle StorageTek ACSLS accessible data. Affects: o Oracle StorageTek ACSLS 8.5.1 CVE-2020-11022 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N The supported version that is affected is 8.5.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle StorageTek ACSLS. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle StorageTek ACSLS, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle StorageTek ACSLS accessible data as well as unauthorized read access to a subset of Oracle StorageTek ACSLS accessible data. Affects: o Oracle StorageTek ACSLS 8.5.1 CVE-2022-21493 5.9 AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. Affects: o Oracle Solaris 11 CVE-2022-21461 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data. Affects: o Oracle Solaris 11 CVE-2022-21463 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. Affects: o Oracle Solaris 11 CVE-2022-21416 5.0 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data. Affects: o Oracle Solaris 11 CVE-2021-29425 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N The supported version that is affected is 4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Solaris Cluster. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Solaris Cluster accessible data as well as unauthorized read access to a subset of Oracle Solaris Cluster accessible data. Affects: o Oracle Solaris Cluster 4 CVE-2022-21494 4.0 AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H The supported version that is affected is 11. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. Affects: o Oracle Solaris 11 CVE-2020-1968 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N The supported version that is affected is 1.2.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Ethernet Switch TOR-72. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Ethernet Switch TOR-72 accessible data. Affects: o Oracle Ethernet Switch ES1-24 1.3.1 o Oracle Ethernet Switch TOR-72 1.2.2 CVE-2020-9488 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N The supported version that is affected is 8.5.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle StorageTek ACSLS. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle StorageTek ACSLS accessible data. Affects: o Oracle StorageTek ACSLS 8.5.1 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9ofeNLKJtyKPYoAQjXXg//ZyHGnurhPhfQN2yEtKSPZwm+MN8UQ54h kVn9VuFv+hur1qL2VjLRKbA++Wm+VNvzkHcX//W59UTmDxxW7DgMYviL3a2M0/Ky CYpqxVOdqP/md6AS+Rho3mzNf58DOHMq/eMkl5sTkQybQ1eWTKz0RzqWWBoocX9z /IkTCKzmjithwMROL3mboBL8n6fm4F35deumzwH/81joD+2ME6iSVk2SLeJ+54NZ 4dqIqs9s+MZcj7+Idv7Ep0MYb1uHg2VsPnIOfxeqHBRehWQGzjUp0zr5PKqEBnIH wib1wVDh20VZ/TiJYtldt592+2qRrN23E6ZQFkZj6zOjMDNITZ0D38zRbiKyBZK2 GyurOIGnOn87Rg9JhiHWsudKG5UxkR0vIxFQYB+RaVB1HLTOUqRtjR5TYlwl44Fe RGe+GoqMUsBBczSeoF7WyVVx9c1qDEGalwNRAs7k1B2UkxP+ZNM16A6Jf4SW9vkV 4JPW9ieurD4XzMD3KLoie/lVYiYRV2ofmTeBxJOihFhkZ++uVT0yvMkWcmAdEvtB W5jdGFKH/fsKvHgHz+WxmVC/60TECLX73j6Ocn+SWWhnallml8dt1whAeddUktQ6 obGSFFBS4Mo8c06B7KI9BaepW7Oq9QbCwHJdmHhs9hhiU4K+7ga1IW0km4e6SFcJ GKEQMkuMbxE= =/VNp -----END PGP SIGNATURE-----
2022. április 20.

ASB-2022.0089 - [Win][UNIX/Linux] Oracle MySQL: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0089 Oracle MySQL Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: MySQL Cluster MySQL Connectors MySQL Enterprise Monitor MySQL Server MySQL Workbench Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-23305 CVE-2022-23181 CVE-2022-22965 CVE-2022-21490 CVE-2022-21489 CVE-2022-21486 CVE-2022-21485 CVE-2022-21484 CVE-2022-21483 CVE-2022-21482 CVE-2022-21479 CVE-2022-21478 CVE-2022-21462 CVE-2022-21460 CVE-2022-21459 CVE-2022-21457 CVE-2022-21454 CVE-2022-21452 CVE-2022-21451 CVE-2022-21444 CVE-2022-21440 CVE-2022-21438 CVE-2022-21437 CVE-2022-21436 CVE-2022-21435 CVE-2022-21427 CVE-2022-21425 CVE-2022-21423 CVE-2022-21418 CVE-2022-21417 CVE-2022-21415 CVE-2022-21414 CVE-2022-21413 CVE-2022-21412 CVE-2022-0778 CVE-2021-44832 CVE-2021-42340 CVE-2021-41184 CVE-2021-22570 Comment: CVSS (Max): 9.8 CVE-2022-23305 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o MySQL Cluster, versions 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior o MySQL Connectors, versions 8.0.28 and prior o MySQL Enterprise Monitor, versions 8.0.29 and prior o MySQL Server, versions 5.7.37 and prior, 8.0.28 and prior o MySQL Workbench, versions 8.0.28 and prior [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2022-23305 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2022-22965 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2022-0778 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Affects: o MySQL Connectors 8.0.28 and prior o MySQL Connectors 8.0.28 and prior o MySQL Enterprise Monitor 8.0.29 and prior o MySQL Server 5.7.37 and prior, 8.0.28 and prior o MySQL Workbench 8.0.28 and prior CVE-2021-42340 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2021-22570 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-23181 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Enterprise Monitor executes to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2022-21454 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21482 6.3 AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. Affects: o MySQL Cluster 8.0.28 and prior CVE-2022-21483 6.3 AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2022-21489 6.3 AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2022-21490 6.3 AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2021-41184 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Enterprise Monitor, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Enterprise Monitor accessible data as well as unauthorized read access to a subset of MySQL Enterprise Monitor accessible data. Affects: o MySQL Enterprise Monitor 8.0.29 and prior CVE-2022-21457 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21425 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21440 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21459 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21478 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21479 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21418 5.0 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H Supported versions that are affected are 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21417 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21413 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21427 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21412 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21414 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21435 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21436 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21437 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21438 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21452 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21462 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21415 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior CVE-2022-21451 4.4 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21444 4.4 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21460 4.4 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. Affects: o MySQL Server 5.7.37 and prior, 8.0.28 and prior CVE-2022-21484 2.9 AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2022-21485 2.9 AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2022-21486 2.9 AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. Affects: o MySQL Cluster 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, 8.0.28 and prior CVE-2022-21423 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. Affects: o MySQL Server 8.0.28 and prior MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9lMONLKJtyKPYoAQjwmw/8DpqMmz+CGodvAfE3CA5qB9Q4rJbdrdxI NK3aT2l5Pvx1xLlvWAAM+Q+VHeySOgAmHE2drkvcwjeyi6tC+NWrOewv+qmhMwDp EE+WW2dvQXwjrBTqDc657lBoDn0My9MnCiBuTBMtiVdLtb+WBSYpV40iPe4fJjlg jZxiCVJbsYDVPOHTAg/51vzzub1bfPP6cCD9FpZP8rdRkznVbm3VK2prbfZq0ai5 CSpGFtQIRIbxuripil78k3UC8A3lM88FVWB9B0oaatrBnAjMd9Ui7tbWCoqqB8gD RPF6dMcGdk7WRGtn7OCRB5uSHJ1DyJsIjz+B9zKcqLjE3d6fBE+/Yfqw9L1YZx7D /1Xr44raw9lMQGX5p8RrctC7lDI2R9Ninz+KFHjlOK8TM6mtYDMex/8eoO3kHAp8 Rz/Z/wElAwll9xzKNRyt1WYGSkLOPbrkR4tqHoFhtGh4nnJKHNrathrYc97vap34 b6F0O+2SsDUAYJrzR83yQle1ZwGcnh/QO1DRTEkNDtNX8SDIbwyb/SVobwt2DA3H g+qC9d8diWE3Ok3P9i7slH49jWeDlXQPh3pd+aH+6QFpTUMlmIDkMs09Wdv7e+s9 bLxUtsV833Md5vWgyqWuVF5G4caFl8FKI2xaugikX5ZR3yVaTdB/jo62hfxMNB6d sVqk8y42t0I= =OLX4 -----END PGP SIGNATURE-----
2022. április 20.

ASB-2022.0088 - [Win][UNIX/Linux] Oracle GraalVM Enterprise Edition and Java SE: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0088 Oracle Java SE Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle GraalVM Enterprise Edition Oracle Java SE Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-21496 CVE-2022-21476 CVE-2022-21449 CVE-2022-21443 CVE-2022-21434 CVE-2022-21426 CVE-2022-0778 Comment: CVSS (Max): 7.5 CVE-2022-21476 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N OVERVIEW Multiple vulnerabilities have been identified in : o Oracle GraalVM Enterprise Edition, versions 20.3.5, 21.3.1, 22.0.0.2 o Oracle Java SE, versions 7u331, 8u321, 11.0.14, 17.0.2, 18 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2022-0778 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Supported versions that are affected are Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle GraalVM Enterprise Edition. Affects: o Oracle GraalVM Enterprise Edition Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21449 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21476 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21426 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21496 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21434 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 CVE-2022-21443 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. Affects: o Oracle Java SE, Oracle GraalVM Enterprise Edition Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9lEuNLKJtyKPYoAQhBDA/9GUgUvPdz7xFNs+j4s4L5A0DhDacG68b7 lLLqgVghkNmtM/E0NKDoiVVXD3rEoLXtetAV/HNxyKghuHygbMn0EvBClpTXjvVK 2xKBBxFZz8TH3BmKFRm5euY1giqdYssdPqKHjwFZzfeFehb6GX/NfjB7NhjMzW/c AxPb1LL5QtTlOEFd7TfmzaYV7dQahqmLJjRl5e6YHhT3V1TN3567S3ZBiFuNlbYE FiF4E2tXtBH2DA2M273pn6S5lbVUq6lSPvEIotFwqjvXCebT6q5BwnlusNDg/K7w /bTEU39BVEMeM6FdmLBJp5y2kJPbOgdS57NJsu1XKxMg08s532KJST6XKqDiDWP9 9ROD3Oxs5eAZ6xOBiiS5rYp1+EZb27XpSDiwgyqhdcKOHiQtrQ0cMEEJj1d6x3yg dOj4nqlU7YMls9tghTI52hXWnvSQCFJSFWnt8kEURns9IV4FeViA/1yLbMEspjY4 Xuh4nazRSmrVEBqPHv1n5FZDbySpECu74KMsVTI0SxCs81ig7VLkuBG1w7reMokE Pa/EQDKo3LR03TlU+IHrdb3xDZU1BVJJmWoIhVNHns3LX2k+k1lDoxIFgyqqo1uC NGLvMl7dKBh6i/O/hHGP8IPvZkeiUar3RYCjNJ4VcmabuCt3lEcN7nPOqi29hDWx BIOurF133Gw= =EGSW -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1683 - [RedHat] kpatch-patch: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1683 kpatch-patch security update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kpatch-patch Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25636 CVE-2022-0492 CVE-2021-4083 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1418 Comment: CVSS (Max): 7.8 CVE-2022-25636 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: kpatch-patch security update Advisory ID: RHSA-2022:1418-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1418 Issue date: 2022-04-19 CVE Names: CVE-2021-4083 CVE-2022-0492 CVE-2022-25636 ===================================================================== 1. Summary: An update is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v.8.4) - ppc64le, x86_64 3. Description: This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix(es): * kernel: fget: check that the fd still exists after getting a ref to it (CVE-2021-4083) * kernel: cgroups v1 release_agent feature may allow privilege escalation (CVE-2022-0492) * kernel: heap out of bounds write in nf_dup_netdev.c (CVE-2022-25636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it 2051505 - CVE-2022-0492 kernel: cgroups v1 release_agent feature may allow privilege escalation 2056830 - CVE-2022-25636 kernel: heap out of bounds write in nf_dup_netdev.c 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v.8.4): Source: kpatch-patch-4_18_0-305-1-12.el8.src.rpm kpatch-patch-4_18_0-305_10_2-1-9.el8_4.src.rpm kpatch-patch-4_18_0-305_12_1-1-8.el8_4.src.rpm kpatch-patch-4_18_0-305_17_1-1-7.el8_4.src.rpm kpatch-patch-4_18_0-305_19_1-1-7.el8_4.src.rpm kpatch-patch-4_18_0-305_25_1-1-6.el8_4.src.rpm kpatch-patch-4_18_0-305_28_1-1-4.el8_4.src.rpm kpatch-patch-4_18_0-305_30_1-1-4.el8_4.src.rpm kpatch-patch-4_18_0-305_34_2-1-2.el8_4.src.rpm kpatch-patch-4_18_0-305_3_1-1-11.el8_4.src.rpm kpatch-patch-4_18_0-305_40_1-1-1.el8_4.src.rpm kpatch-patch-4_18_0-305_40_2-1-1.el8_4.src.rpm kpatch-patch-4_18_0-305_7_1-1-10.el8_4.src.rpm ppc64le: kpatch-patch-4_18_0-305-1-12.el8.ppc64le.rpm kpatch-patch-4_18_0-305-debuginfo-1-12.el8.ppc64le.rpm kpatch-patch-4_18_0-305-debugsource-1-12.el8.ppc64le.rpm kpatch-patch-4_18_0-305_10_2-1-9.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_10_2-debuginfo-1-9.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_10_2-debugsource-1-9.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_12_1-1-8.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_12_1-debuginfo-1-8.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_12_1-debugsource-1-8.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_17_1-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_17_1-debuginfo-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_17_1-debugsource-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_19_1-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_19_1-debuginfo-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_19_1-debugsource-1-7.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_25_1-1-6.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_25_1-debuginfo-1-6.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_25_1-debugsource-1-6.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_28_1-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_28_1-debuginfo-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_28_1-debugsource-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_30_1-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_30_1-debuginfo-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_30_1-debugsource-1-4.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_34_2-1-2.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_34_2-debuginfo-1-2.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_34_2-debugsource-1-2.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_3_1-1-11.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_3_1-debuginfo-1-11.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_3_1-debugsource-1-11.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_1-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_1-debuginfo-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_1-debugsource-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_2-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_2-debuginfo-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_40_2-debugsource-1-1.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_7_1-1-10.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_7_1-debuginfo-1-10.el8_4.ppc64le.rpm kpatch-patch-4_18_0-305_7_1-debugsource-1-10.el8_4.ppc64le.rpm x86_64: kpatch-patch-4_18_0-305-1-12.el8.x86_64.rpm kpatch-patch-4_18_0-305-debuginfo-1-12.el8.x86_64.rpm kpatch-patch-4_18_0-305-debugsource-1-12.el8.x86_64.rpm kpatch-patch-4_18_0-305_10_2-1-9.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_10_2-debuginfo-1-9.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_10_2-debugsource-1-9.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_12_1-1-8.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_12_1-debuginfo-1-8.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_12_1-debugsource-1-8.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_17_1-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_17_1-debuginfo-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_17_1-debugsource-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_19_1-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_19_1-debuginfo-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_19_1-debugsource-1-7.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_25_1-1-6.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_25_1-debuginfo-1-6.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_25_1-debugsource-1-6.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_28_1-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_28_1-debuginfo-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_28_1-debugsource-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_30_1-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_30_1-debuginfo-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_30_1-debugsource-1-4.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_34_2-1-2.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_34_2-debuginfo-1-2.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_34_2-debugsource-1-2.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_3_1-1-11.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_3_1-debuginfo-1-11.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_3_1-debugsource-1-11.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_1-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_1-debuginfo-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_1-debugsource-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_2-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_2-debuginfo-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_40_2-debugsource-1-1.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_7_1-1-10.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_7_1-debuginfo-1-10.el8_4.x86_64.rpm kpatch-patch-4_18_0-305_7_1-debugsource-1-10.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2022-0492 https://access.redhat.com/security/cve/CVE-2022-25636 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl80udzjgjWX9erEAQgE7A//Vo+WRJXpOuWN7TSUMzc0ohIFQ6Vz2n2S 7XfT0D1EhTKDysLQKzItKoKjW5RpbJtHmu2h2rsITxHZGUZ+RqF9G0rLCZf2Bcil sRtm2Pe895OnRw+v/Bg5KWpgfjw0OjAjvwQVEgFsiZyVK1BeM2QOTQ/46iaitEnj 3GylGh9EWMV9Wk3tlS0mcnw867QNaLwLyuHx9MuKPXz75yszhHj3C5lYWku5dUfC WpxhV0L7OizWelULlg8ZcftGcjhCY5alGVdu/IDlP6DVJCv+Wzl6aeIbW5p1jBse oc2T78irRxRjFZgYkuTM9Y1n5Zf9spr/I6ioX5dOClvsVurLLa17GW5qhsY+hajB Kands4Dg2Jw+Pv47eu2NSUzVtfclmAtJljR58gUFAxOEELBNbHdrDWjG8ahpRkom xuXgzLeaMA+PpPJXjSe/ieVAaknN+iBn/pZQXsMO2dWculDKQPA69XYbelc6/hD3 lpSc3t3Ek0grmyBE1spNIXsBmcLSIdILZvtnB7dfyCSqZr//+p8WELruf839X4HF kiw5UItaxyOdymPdT8sow2VL+24EMX3YM1/HCFQETJVkZird4gG28RStytNWgkn+ NI4vbU3ZuhQch4Yr4cK+fBHX9gRcLNYEQ59xLQ7/wjKsRygmjqMTvcbLVyzsWThq gZ8+Yj2cdDA= =anGY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XueNLKJtyKPYoAQjzaA//W2wNUT9RkiMOE2MaWMR4HojUPlYyliOG 3g8aRVBGp30GTbtN4RFEAXKQrhSVwXa+7t/tVKWFhTQ+HNI4cgTm8cRGaUv5R6gy h92R+XWf+Thy9s8hMdGc4k4tujTVoMHakUMHrd/fZwPK6cOG4a+Jy/xoirIIIHQo qtss3nAPwIpvb3ecCS47S4RJtSqx4zNYR9vRLca8v15CsENRhjrmXMZOgjdUZStR FyKDYUryG66n98NxnBPpM+3Q36Go6FOHAYTz7rH1Pt8WQoW++DQPc42b/mafgnxj gnHlq7GYySLVawSH868lLbVQMnMNPsLeBcBUuIqdBgKa9qwsRzKw3SI026r+YWpu 8Hp3UK4aXgru5iweHsdZW91i0w/861x22Tl1OGQirNhCnkbGCDOgLLKGprvGIM69 OpiAht336UPVhYnOrJWfOXtnSvMNo29o2px5bfLVwDcLjJUTfw6U5Gg04R9tNMIz D5iFnM0paezhJRZDqwcErT/YjnQOy8ucODOTKnxILlCzx/ZOEUbAa25vcuUzsXKG W1eZJgCGiWBtbAdFd5aTyBHMrwyorVjSBPtKv595IyjPywonZZM+30xjWy3KZEUw ah3Jekn6HRKhmT8i0LbAU8JZ5WYZFtzMEbC2EmlaCuJr1Rg3w4F+1gdVb3oF4Nio xUjXcKyPix0= =m18O -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1682 - [RedHat] kernel: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1682 kernel security update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-0492 CVE-2021-4155 CVE-2021-0920 CVE-2020-0466 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1417 Comment: CVSS (Max): 7.8 CVE-2020-0466 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security update Advisory ID: RHSA-2022:1417-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1417 Issue date: 2022-04-19 CVE Names: CVE-2020-0466 CVE-2021-0920 CVE-2021-4155 CVE-2022-0492 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6 ELS) - i386, noarch, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466) * kernel: Use After Free in unix_gc() which could result in a local privilege escalation (CVE-2021-0920) * kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL (CVE-2021-4155) * kernel: cgroups v1 release_agent feature may allow privilege escalation (CVE-2022-0492) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1920480 - CVE-2020-0466 kernel: use after free in eventpoll.c may lead to escalation of privilege 2031930 - CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a local privilege escalation 2034813 - CVE-2021-4155 kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL 2051505 - CVE-2022-0492 kernel: cgroups v1 release_agent feature may allow privilege escalation 6. Package List: Red Hat Enterprise Linux Server (v. 6 ELS): Source: kernel-2.6.32-754.47.1.el6.src.rpm i386: kernel-2.6.32-754.47.1.el6.i686.rpm kernel-debug-2.6.32-754.47.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debug-devel-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-754.47.1.el6.i686.rpm kernel-devel-2.6.32-754.47.1.el6.i686.rpm kernel-headers-2.6.32-754.47.1.el6.i686.rpm perf-2.6.32-754.47.1.el6.i686.rpm perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm noarch: kernel-abi-whitelists-2.6.32-754.47.1.el6.noarch.rpm kernel-doc-2.6.32-754.47.1.el6.noarch.rpm kernel-firmware-2.6.32-754.47.1.el6.noarch.rpm s390x: kernel-2.6.32-754.47.1.el6.s390x.rpm kernel-debug-2.6.32-754.47.1.el6.s390x.rpm kernel-debug-debuginfo-2.6.32-754.47.1.el6.s390x.rpm kernel-debug-devel-2.6.32-754.47.1.el6.s390x.rpm kernel-debuginfo-2.6.32-754.47.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-754.47.1.el6.s390x.rpm kernel-devel-2.6.32-754.47.1.el6.s390x.rpm kernel-headers-2.6.32-754.47.1.el6.s390x.rpm kernel-kdump-2.6.32-754.47.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-754.47.1.el6.s390x.rpm kernel-kdump-devel-2.6.32-754.47.1.el6.s390x.rpm perf-2.6.32-754.47.1.el6.s390x.rpm perf-debuginfo-2.6.32-754.47.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.s390x.rpm x86_64: kernel-2.6.32-754.47.1.el6.x86_64.rpm kernel-debug-2.6.32-754.47.1.el6.x86_64.rpm kernel-debug-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debug-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm kernel-debug-devel-2.6.32-754.47.1.el6.i686.rpm kernel-debug-devel-2.6.32-754.47.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm kernel-debuginfo-common-i686-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-common-x86_64-2.6.32-754.47.1.el6.x86_64.rpm kernel-devel-2.6.32-754.47.1.el6.x86_64.rpm kernel-headers-2.6.32-754.47.1.el6.x86_64.rpm perf-2.6.32-754.47.1.el6.x86_64.rpm perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm perf-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6 ELS): i386: kernel-debug-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-2.6.32-754.47.1.el6.i686.rpm kernel-debuginfo-common-i686-2.6.32-754.47.1.el6.i686.rpm perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm python-perf-2.6.32-754.47.1.el6.i686.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.i686.rpm s390x: kernel-debug-debuginfo-2.6.32-754.47.1.el6.s390x.rpm kernel-debuginfo-2.6.32-754.47.1.el6.s390x.rpm kernel-debuginfo-common-s390x-2.6.32-754.47.1.el6.s390x.rpm kernel-kdump-debuginfo-2.6.32-754.47.1.el6.s390x.rpm perf-debuginfo-2.6.32-754.47.1.el6.s390x.rpm python-perf-2.6.32-754.47.1.el6.s390x.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.s390x.rpm x86_64: kernel-debug-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm kernel-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm kernel-debuginfo-common-x86_64-2.6.32-754.47.1.el6.x86_64.rpm perf-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm python-perf-2.6.32-754.47.1.el6.x86_64.rpm python-perf-debuginfo-2.6.32-754.47.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0466 https://access.redhat.com/security/cve/CVE-2021-0920 https://access.redhat.com/security/cve/CVE-2021-4155 https://access.redhat.com/security/cve/CVE-2022-0492 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7uadzjgjWX9erEAQhnhA//XOtUCSYOkUHLZsRBgu7bvAbhSXBmq0gX w2r2aiBuQqB2UNbgKBL5NYasS21UNSIDIejjwV85kQx99C8bCtyw5gIPS44sPbIW IrkxfaO7rdVFBt0YfUTFAQU86srn1PySrKoOQ8TIh6kUhh0s8lWSdgSjUBFoDtUc PDLrrGIjWYo1xZyP3eWpVKfxUe9T7rZnSo81p9Z8ixXtwfWXce8H45eaN7zoYe18 Iw0e0wz3wLSjXj7Jtg4PAf2UZvzXc/WK6Do0ivkC/GSnOmqMOjZJkCxbv2/n78Hb 9amiurLPj8+tZprcRutqCjaX7fKLomlnxrjI+qH4P8coejvU9CXpkkHHzFbeWAMr 0a+AqbTDCT2WOL67YTJBTSOrVxUfxPwW7qj3f9jHydTyvR3rm/v+Jlq8C1hQu2PM xEYfx7ZvrTIOKimcQAUICu5YN95TwrTYpYokq2jBA/zhLpURLgYH2EjbA32LlYU2 KTI9uZ8CLov7HX88n4wwuwJ62OtrXxK0oB5m00iqbmRzz2NC5a4Y8hGFC/fcjJam +kyDgturAiCeMQm4GpkZlh4D0wyyEdk+8U6h0OifL+uFaWJkGBXmtQvb1Vlc/Ly6 UoO/7MlLxd4jVBkMTHzWCntb5fdYO+4XdFWHsyg1FcngQTs15ULPTTq8PVTI3JI/ fUKC6y5QWY4= =w54V - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XqONLKJtyKPYoAQjuqg//c5Zm7Nehfit1hfsfjEWODFTQUjYPSMj+ bmyLVjBQPIKnvSIvPzIVfLzBxMUdceqx5IsQ9CekDGFpOTRR3RTYqPRFeja4eSVV jm0P7WR+BjeLXmQpIEv8kAw/Rc4MLH7GEeCzx1DgsVEqkM0KcH4FX/WYT/moXj5Z CoQiwy01muyw8tFy04Urz/n0eoLPgXsK0A6Ctkps+P1sK8ujsL5pK1fWLLhuq4Hd 9m7QPIdmX29Jn7fAh7squcq06v9jvv5kieREN+3Ic3e7sFX62VciFTJgj7vjDMNA Flo07sXFT4APfDFjUzlv0wLyY/JCa+arqaphzvccA9cTaC7Zb2EM0D5mnjQyWrRj nR3+SFhMFonL2LPk8z0w+vYdKf7p+UuI3aXrWoEPh2TrrBdV+xS2gn5FKYfPWehk cOdGyACpdBIG4T4Hgt+hzNIPIZyUDmJZE5qzPrmp5vzGemECtEkbw1wvJoM6zgOP HQevge8B76c772MIkqlW2SDdemNqG+dGCtfriUCAsFDDaPf3SyT3av9gEtbDWtbo X5ACt/CgP09tZofi8q1o/7J6JiV7Vk/LxA/dZtIJWf8P98xFTXoLWug+QVPaQjr0 /DLUu8VBIJxZTUO2itYhtGG3a2STehmoFfQWItXB3D3rKtAHWllaK//iZpR5LhNA UvFvQ8s/XUM= =Z5K9 -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1681 - [RedHat] kernel-rt: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1681 kernel-rt security and bug fix update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel-rt Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25636 CVE-2022-0492 CVE-2021-4083 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1413 Comment: CVSS (Max): 7.8 CVE-2022-25636 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2022:1413-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1413 Issue date: 2022-04-19 CVE Names: CVE-2021-4083 CVE-2022-0492 CVE-2022-25636 ===================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Real Time EUS (v.8.4) - x86_64 Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4) - x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * kernel: fget: check that the fd still exists after getting a ref to it (CVE-2021-4083) * kernel: cgroups v1 release_agent feature may allow privilege escalation (CVE-2022-0492) * kernel: heap out of bounds write in nf_dup_netdev.c (CVE-2022-25636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * kernel-rt: update RT source tree to the RHEL-8.4.z8 source tree (BZ#2059334) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it 2051505 - CVE-2022-0492 kernel: cgroups v1 release_agent feature may allow privilege escalation 2056830 - CVE-2022-25636 kernel: heap out of bounds write in nf_dup_netdev.c 6. Package List: Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4): Source: kernel-rt-4.18.0-305.45.1.rt7.117.el8_4.src.rpm x86_64: kernel-rt-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-core-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-core-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-debuginfo-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-devel-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-kvm-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-modules-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-modules-extra-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debuginfo-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debuginfo-common-x86_64-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-devel-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-kvm-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-modules-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-modules-extra-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm Red Hat Enterprise Linux Real Time EUS (v.8.4): Source: kernel-rt-4.18.0-305.45.1.rt7.117.el8_4.src.rpm x86_64: kernel-rt-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-core-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-core-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-debuginfo-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-devel-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-modules-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debug-modules-extra-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debuginfo-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-debuginfo-common-x86_64-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-devel-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-modules-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm kernel-rt-modules-extra-4.18.0-305.45.1.rt7.117.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2022-0492 https://access.redhat.com/security/cve/CVE-2022-25636 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7uhdzjgjWX9erEAQi8YBAAkUdFptawoGEINw+0aLnAKXIUQiVFCOLE k1X+OM2CJBevwLdfCbqwSFLWgzZRzZoMio9ONvyfvCSU5b5oDoRdywUk37x0jtaR NtGAcFIgaZlRKU5onM7cL59n0Qo5So4S+eG9SUbDWWcht6DgKLcaVN+8d657vOK9 bggwA6QSGWQdRqHdaLf2rV9SYlflMHTcg2SEgU2aFXKmWZnnj9dDfIGgMwhu6eY5 BCCVdC/8/SkaKZW9i6sgmxYFAniL8opDx0C3mkd3a7LYx+RQfM9N3wTL8FubV2Do zdITckAwYdpTgIzlgP1tWoUUihaXz/WujkHHVuSCG6gTAIal0bHGfAngdEreBQPz xq7jM2Oa/t/eXpmCSfYstfQkFSK6W28sKxvR/oRbJMH08BH5cIvaQorpUsin28g3 IZ4lDOFvDqS1BfnKBaZ13p2dMYfqUL/Q+PLvL46NWZ2mAHNQjEBqIyn6vL5+o3QQ UBBY+TJflaYmP82rr/hFV6L4ewF0cJJ9Cth8HXxT1fABzFCb5uHRCnyTDhDxGzey SlyJU3tOUw1CBWkSoXdqyUF6iv9pnzkiOTMIwTCNUU3dVzSJwYASgpT9LwI2z9C5 Wyw6ckHw7b6FDfyVC+4ZPiPEwc+tmpFdUdugbX0kTFB+6GpEOewcDyg3QQg9ZV1/ vfctWBLq3kQ= =zsvE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBYl9Xj+NLKJtyKPYoAQgQyQ/0D970z0LToh67VnJ3ACUrecu04M7aCA1S f+SvarUImfiVWxu/MUoP43F+9b5dzw43LpjWM6AX4YtfeCYLcu3wOuCvHdaMzRTE xZPnEk0ue8xtQQ1M1kbBc3g5ph4JzqJTaUsm8yRVjQG0fWRP7ddp4qEYnPQ4Rh2e GstmUrDcT18h68oqUULL4g2LFtLBMhsEE+vnYr6iGODP45IatxR7b7Dzx9LnVz+0 2ltiA4Zt8sq94TNt/yiinOO/yjSEeVw/+LGlE7z8jvsE12GeemQQeMc7APUMqb9L k4vnNvGs+AKoT5SslLG4J6AEalSKXZr3dijV6pRkAgls2vSsQYfC0FNIJt1H7dq+ B0iMvF9VCOFzinKFVsBr4wVeEXqZMb9dimi3Mblmlj4lj2uxnOiY+qXuXpJf6PI+ KHG3eiWbuepXxQ4pFEL+i4B02XTYzbyhyKCjZX0E7mK2A7gyR1H9uj2POCCwvaW9 zG9amYNHOl7Mz8EargwETSailz6MOIXGV8/qRe3uFBBDrw89gBGzkxkrns0dTsIL ZmzMvT6BBfUJjC9vhmbTLRNGCxVylGXfR4tDBmmrJ1+zpVYnuPwCJ+aclfnjuBuH mMAMV5Fv+Igr/rq16xtg8NNr06M1Lseq9AjeQnWgNdCbKuaw6BdUdAazIRX+Tp4o TgTqqKkgrg== =rDpf -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1680 - [RedHat] 389-ds:1.4: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1680 389-ds:1.4 security and bug fix update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 389-ds:1.4 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-4091 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1410 Comment: CVSS (Max): 7.5 CVE-2021-4091 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: 389-ds:1.4 security and bug fix update Advisory ID: RHSA-2022:1410-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1410 Issue date: 2022-04-19 CVE Names: CVE-2021-4091 ===================================================================== 1. Summary: An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es): * 389-ds-base: double free of the virtual attribute context in persistent search (CVE-2021-4091) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * DB corruption "_entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,) is already in the entryrdn file" (BZ#2066800) * IPA server (389ds) is very slow in execution of some searches (`&(memberOf=...)(objectClass=ipaHost)` in particular) (BZ#2066801) * monitor displays wrong date for connection (BZ#2066848) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2030307 - CVE-2021-4091 389-ds-base: double free of the virtual attribute context in persistent search 2066800 - DB corruption "_entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,) is already in the entryrdn file" 2066801 - IPA server (389ds) is very slow in execution of some searches (`&(memberOf=...)(objectClass=ipaHost)` in particular) 2066848 - monitor displays wrong date for connection 6. Package List: Red Hat Enterprise Linux AppStream EUS (v.8.4): Source: 389-ds-base-1.4.3.16-20.module+el8.4.0+14552+b182c759.src.rpm aarch64: 389-ds-base-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-debugsource-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-devel-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-legacy-tools-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-legacy-tools-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-libs-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-libs-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-snmp-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm 389-ds-base-snmp-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.aarch64.rpm noarch: python3-lib389-1.4.3.16-20.module+el8.4.0+14552+b182c759.noarch.rpm ppc64le: 389-ds-base-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-debugsource-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-devel-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-legacy-tools-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-legacy-tools-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-libs-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-libs-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-snmp-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm 389-ds-base-snmp-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.ppc64le.rpm s390x: 389-ds-base-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-debugsource-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-devel-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-legacy-tools-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-legacy-tools-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-libs-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-libs-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-snmp-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm 389-ds-base-snmp-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.s390x.rpm x86_64: 389-ds-base-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-debugsource-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-devel-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-legacy-tools-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-legacy-tools-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-libs-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-libs-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-snmp-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm 389-ds-base-snmp-debuginfo-1.4.3.16-20.module+el8.4.0+14552+b182c759.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4091 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7ul9zjgjWX9erEAQhcxg/9HAutJcNWHFMbkpHZEZupCBTm+F+4hV4X 7RpRa+QZv35GBEYMPPcdG6fGQ+HizL6JXYJ7PoMh4Tk4yvLLSDbV/DgGAu6otfMg w6rY3LYC8NK2ddQmU5ERGU6SH8o0SCV++hMznrwEJYGIsmAQ5K3Iwh4umszrjNfF 5dTrCRDrPJKh8ToXKa99D5vC3WMHLFbNrHl3KQJLvFMEc7q5IkRB7X8wSY6flBml CGoR49DjTGVeD746+n3il58ShxaTqq2e2MPl5ipKjGtsLmxaTPPvqzPlgvchyIuO Czp9glJy6bhe2JnYGZf4nKLmlZCjm5d4CvAr1HzTvzymwrCVUnbLfHuRbBYZnoU8 p1wZUJJXummvngFjCGO7+oOKA5B13ZvJ6qSQJVRBu1r8LyTgFKLyUr5AgvZhAw0N nJklqR9dOnpdFLEHyx9O3lDtD+K1mRndUvBpY4JtMYwqs8yMlvGabnahHvhdoCJ7 6tbr6F+x3o20zfA/4FvEopNUxoFjI8c07hK4UIdusH+x3veyH/MMMfLz35172/FW 0MCJ/1fS4tROH7L9pJhTecL49cQTntGfMf4TjKQO68fz34mjglOxRbVI84Yz92rz F1bdxx8jc4ZLBfB4rTTvOsx4Hq2wAMqPZAEqDFilnx/viToRvbxkqbl3RCpr5FX6 a9hoUJbZW40= =w/jo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XeONLKJtyKPYoAQinbBAAsNuHBQwhY7h42AUE9JTevgJrriQE0XHr Cxh3oV45MlL6+w6q7w27CA1iSZpBXsn43xwz0S8xe1F+pk6w2VWrDsIwTAqdc2t5 BPfUuGKYfohc5oW2bSlZfs4lmstSwCHfF9Tt5z/Y/2LVUTcEbNjaqAIxe8clkRhM VyysEBeZhlcwallHR6oAtNwz082DS4mglOLQpwIMr+B6i5DyFrqphjj1+5Nt1+vR swj4qZowzuRtnAQLljNjv44KMVNd+s1+SR39Sf/7AMt69u3VKafdhR/C4zrTGuq5 gMbCgOhEpzv8tO/PSnqqzBW1RBs56h4WBDGk/0msP1vDQlY2/Gk+vtB2ah6hqi7K KSFfIeatq+26xKhALJMH0Zic1dBfRCAwGzJtdjXrktg4qMIVe98mCtCKi938LMnR L+MOf5tlYAgle/c37Z1RTNSqdLISkejFVvPxbS69kL6pkY5kOTjGPVnr8MCAntBU mUOowDE2NAH3hxREKZIoeY3egwmzM8/FzbJJFJ8jGJpccsKGpjtMJf7W5DIWIOGQ VW8jaWdQwlB9+XRobxN/gKmLN7Ezpoahu1PEtNBUN8iarzqe5qejfFosie/2IkU7 5ikmigmd01LBAlxfIaA/88zeUUE5AMF58QLArr9q/jZHkoQMKloeQqAXPzZp8c2D 9R+CfkgGATM= =Ty1q -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1679 - [RedHat] container-tools:2.0: CVSS (Max): 4.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1679 container-tools:2.0 security and bug fix update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: container-tools:2.0 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-27651 CVE-2022-27649 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1407 Comment: CVSS (Max): 4.8 CVE-2022-27651 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: container-tools:2.0 security and bug fix update Advisory ID: RHSA-2022:1407-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1407 Issue date: 2022-04-19 CVE Names: CVE-2022-27649 CVE-2022-27651 ===================================================================== 1. Summary: An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * podman: Default inheritable capabilities for linux container should be empty (CVE-2022-27649) * buildah: Default inheritable capabilities for linux container should be empty (CVE-2022-27651) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [8.2 EUS backport] podman cpu stats bug (BZ#2062400) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2066568 - CVE-2022-27649 podman: Default inheritable capabilities for linux container should be empty 2066840 - CVE-2022-27651 buildah: Default inheritable capabilities for linux container should be empty 6. Package List: Red Hat Enterprise Linux AppStream EUS (v.8.4): Source: buildah-1.11.6-9.module+el8.4.0+14792+f44be4c2.src.rpm cockpit-podman-11-1.module+el8.4.0+14792+f44be4c2.src.rpm conmon-2.0.15-1.module+el8.4.0+14792+f44be4c2.src.rpm container-selinux-2.130.0-1.module+el8.4.0+14792+f44be4c2.src.rpm containernetworking-plugins-0.8.3-4.module+el8.4.0+14792+f44be4c2.src.rpm criu-3.12-9.module+el8.4.0+14792+f44be4c2.src.rpm fuse-overlayfs-0.7.8-1.module+el8.4.0+14792+f44be4c2.src.rpm podman-1.6.4-28.module+el8.4.0+14792+f44be4c2.src.rpm python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.4.0+14792+f44be4c2.src.rpm runc-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.src.rpm skopeo-0.1.41-4.module+el8.4.0+14792+f44be4c2.src.rpm slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.src.rpm toolbox-0.0.7-1.module+el8.4.0+14792+f44be4c2.src.rpm udica-0.2.1-2.module+el8.4.0+14792+f44be4c2.src.rpm aarch64: buildah-1.11.6-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm buildah-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm buildah-debugsource-1.11.6-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm buildah-tests-1.11.6-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm buildah-tests-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm conmon-2.0.15-1.module+el8.4.0+14792+f44be4c2.aarch64.rpm containernetworking-plugins-0.8.3-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm containers-common-0.1.41-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm crit-3.12-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm criu-3.12-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm criu-debuginfo-3.12-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm criu-debugsource-3.12-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm fuse-overlayfs-0.7.8-1.module+el8.4.0+14792+f44be4c2.aarch64.rpm fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+14792+f44be4c2.aarch64.rpm fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-debugsource-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-remote-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-remote-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm podman-tests-1.6.4-28.module+el8.4.0+14792+f44be4c2.aarch64.rpm python3-criu-3.12-9.module+el8.4.0+14792+f44be4c2.aarch64.rpm runc-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.aarch64.rpm runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.aarch64.rpm runc-debugsource-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.aarch64.rpm skopeo-0.1.41-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm skopeo-debuginfo-0.1.41-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm skopeo-debugsource-0.1.41-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm skopeo-tests-0.1.41-4.module+el8.4.0+14792+f44be4c2.aarch64.rpm slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.aarch64.rpm slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.aarch64.rpm slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.aarch64.rpm noarch: cockpit-podman-11-1.module+el8.4.0+14792+f44be4c2.noarch.rpm container-selinux-2.130.0-1.module+el8.4.0+14792+f44be4c2.noarch.rpm podman-docker-1.6.4-28.module+el8.4.0+14792+f44be4c2.noarch.rpm python-podman-api-1.2.0-0.2.gitd0a45fe.module+el8.4.0+14792+f44be4c2.noarch.rpm toolbox-0.0.7-1.module+el8.4.0+14792+f44be4c2.noarch.rpm udica-0.2.1-2.module+el8.4.0+14792+f44be4c2.noarch.rpm ppc64le: buildah-1.11.6-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm buildah-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm buildah-debugsource-1.11.6-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm buildah-tests-1.11.6-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm buildah-tests-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm conmon-2.0.15-1.module+el8.4.0+14792+f44be4c2.ppc64le.rpm containernetworking-plugins-0.8.3-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm containers-common-0.1.41-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm crit-3.12-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm criu-3.12-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm criu-debuginfo-3.12-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm criu-debugsource-3.12-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm fuse-overlayfs-0.7.8-1.module+el8.4.0+14792+f44be4c2.ppc64le.rpm fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+14792+f44be4c2.ppc64le.rpm fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-debugsource-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-remote-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-remote-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm podman-tests-1.6.4-28.module+el8.4.0+14792+f44be4c2.ppc64le.rpm python3-criu-3.12-9.module+el8.4.0+14792+f44be4c2.ppc64le.rpm runc-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.ppc64le.rpm runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.ppc64le.rpm runc-debugsource-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.ppc64le.rpm skopeo-0.1.41-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm skopeo-debuginfo-0.1.41-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm skopeo-debugsource-0.1.41-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm skopeo-tests-0.1.41-4.module+el8.4.0+14792+f44be4c2.ppc64le.rpm slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.ppc64le.rpm slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.ppc64le.rpm slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.ppc64le.rpm s390x: buildah-1.11.6-9.module+el8.4.0+14792+f44be4c2.s390x.rpm buildah-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.s390x.rpm buildah-debugsource-1.11.6-9.module+el8.4.0+14792+f44be4c2.s390x.rpm buildah-tests-1.11.6-9.module+el8.4.0+14792+f44be4c2.s390x.rpm buildah-tests-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.s390x.rpm conmon-2.0.15-1.module+el8.4.0+14792+f44be4c2.s390x.rpm containernetworking-plugins-0.8.3-4.module+el8.4.0+14792+f44be4c2.s390x.rpm containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+14792+f44be4c2.s390x.rpm containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+14792+f44be4c2.s390x.rpm containers-common-0.1.41-4.module+el8.4.0+14792+f44be4c2.s390x.rpm crit-3.12-9.module+el8.4.0+14792+f44be4c2.s390x.rpm criu-3.12-9.module+el8.4.0+14792+f44be4c2.s390x.rpm criu-debuginfo-3.12-9.module+el8.4.0+14792+f44be4c2.s390x.rpm criu-debugsource-3.12-9.module+el8.4.0+14792+f44be4c2.s390x.rpm fuse-overlayfs-0.7.8-1.module+el8.4.0+14792+f44be4c2.s390x.rpm fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+14792+f44be4c2.s390x.rpm fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-debugsource-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-remote-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-remote-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm podman-tests-1.6.4-28.module+el8.4.0+14792+f44be4c2.s390x.rpm python3-criu-3.12-9.module+el8.4.0+14792+f44be4c2.s390x.rpm runc-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.s390x.rpm runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.s390x.rpm runc-debugsource-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.s390x.rpm skopeo-0.1.41-4.module+el8.4.0+14792+f44be4c2.s390x.rpm skopeo-debuginfo-0.1.41-4.module+el8.4.0+14792+f44be4c2.s390x.rpm skopeo-debugsource-0.1.41-4.module+el8.4.0+14792+f44be4c2.s390x.rpm skopeo-tests-0.1.41-4.module+el8.4.0+14792+f44be4c2.s390x.rpm slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.s390x.rpm slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.s390x.rpm slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.s390x.rpm x86_64: buildah-1.11.6-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm buildah-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm buildah-debugsource-1.11.6-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm buildah-tests-1.11.6-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm buildah-tests-debuginfo-1.11.6-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm conmon-2.0.15-1.module+el8.4.0+14792+f44be4c2.x86_64.rpm containernetworking-plugins-0.8.3-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm containernetworking-plugins-debuginfo-0.8.3-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm containernetworking-plugins-debugsource-0.8.3-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm containers-common-0.1.41-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm crit-3.12-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm criu-3.12-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm criu-debuginfo-3.12-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm criu-debugsource-3.12-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm fuse-overlayfs-0.7.8-1.module+el8.4.0+14792+f44be4c2.x86_64.rpm fuse-overlayfs-debuginfo-0.7.8-1.module+el8.4.0+14792+f44be4c2.x86_64.rpm fuse-overlayfs-debugsource-0.7.8-1.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-debugsource-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-remote-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-remote-debuginfo-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm podman-tests-1.6.4-28.module+el8.4.0+14792+f44be4c2.x86_64.rpm python3-criu-3.12-9.module+el8.4.0+14792+f44be4c2.x86_64.rpm runc-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.x86_64.rpm runc-debuginfo-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.x86_64.rpm runc-debugsource-1.0.0-65.rc10.module+el8.4.0+14792+f44be4c2.x86_64.rpm skopeo-0.1.41-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm skopeo-debuginfo-0.1.41-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm skopeo-debugsource-0.1.41-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm skopeo-tests-0.1.41-4.module+el8.4.0+14792+f44be4c2.x86_64.rpm slirp4netns-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.x86_64.rpm slirp4netns-debuginfo-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.x86_64.rpm slirp4netns-debugsource-0.4.2-3.git21fdece.module+el8.4.0+14792+f44be4c2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-27649 https://access.redhat.com/security/cve/CVE-2022-27651 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7ud9zjgjWX9erEAQgdShAAmpEhlMjKEwhc+cEFZ0EiPToNp5/nttu4 ZWw1cOoj569LGQxCVrRLBoNNil8MIA3depqZrUmC1seT2wrdoa+3o5A+1J9vmTyH OocLlpHGcfZquufWtTnJbPcbLGJ83tSa121GJBa8WMC8pq4L6A2rxqAfHLAqY7QZ d3DvneYqwSVdQo7/dWGxAgYd9LTkTWCXfSZRR6fSUce6vwUIsfcwAYHIlXLO/6SN WE+UeOsPsOONLvkjZj1Fk7JGQvLmT/VuhJSBYhQ2hQiCyjkQQ0/nnYBcUDoDyODt cfBeoJVfCsXNbiO/ZwnB2RlLXVGvHwGNYx8H2Jz1gDz4uqIBNQnuXBhEe7DDrmAq 03Vv4snoZ0oexDMUkdFk0FSITKPHFMMcsrb2sZWMBJRVy3lPMg0DIcrUs7mMhwe0 moNMR9OnCIvNAzHLHfgLUMQg91wf3Zqb0Q8dwOgYgVKT2FYU6QP5WY5sWechDTaa Ddw/pq+OXJZ1p008gblhcXOWkMiOthkikuea4dzfyo2Sr7UDYDN6YBNhEYO9WmkN VALSXEGK29A0WS4gvRQyuM8dmTCA5rzN920jf6md6Lj/4SII2rBYYsSBiDrLpRGH 1eM0NbzRTT9RHbk+NCJ/P/vAm+YoXm1rNc/fhP5RIdDMg5Si1ShaXn4gv8BBGF+x 4/wjOBkLPWE= =Eq8j - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XZONLKJtyKPYoAQgleg//Qz60ahgjmeIH55ZZECQhfsPxZQLve0CO qsvVqmTkws8I7y2ceJijyDxKfgnVu/w2awmh6eUcw9bXg1AhmS3ujB9jHtuSqwyl W5WMlXh8CMze60BcZz0rLBTac5cWjfcYD9yEOZ+NlaxBmQYAJyihup/+m17ZCsEv +OLBnDZFrd3JU09s4nOfy6An55bU3FFmteoGJTjxuk7IfntSy8pDGQ1wjlgzrlYj 29ZV4vJnTc+ib6k+btff3JOiQHcQqmsCXe1Enbnr+ZeMbeyPCFPrWVfteHWGibhv VwAKjW7BeJCqVG8Pd/t2BgCp1O+6hKR2BxRnluM7Vmw0Zgnw718kj6TIjgzVsH7j 2yyNFEc6qS5x/D5W/PfnlppmxHc4cVzH4tPbfGD8vPB0izlepCSkNkqO9xm19IR6 hHmSiDQW7YwjpNHy3SR0iyptRmSR+QxVgKYMPH99bXGWIypHJtx97UqF5jRE1wAP VJfE0BYX7eGWYWLs9pWU47jMEYPJz14yrk0a5qALxzuuEm989qbtq/v5ZH7H/6yj QtR6PV2eYsHVo305ErwmS4CnyHhMK8PR4Jcx/fJdh+lDEElVwta0uG2+IyFyWiag a4w+Sgk3IlzUPv42fepYX1RDZs/v+N/mWQx26+2eBVWLqcyqqmI3dxmiLyiGLtk2 zkDtFEInkEY= =Mfst -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1678 - [RedHat] OpenShift Virtualization 2.6.10 RPMs: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1678 OpenShift Virtualization 2.6.10 RPMs security and bug fix update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Virtualization 2.6.10 RPMs Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-33198 CVE-2021-33197 CVE-2021-33195 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1402 Comment: CVSS (Max): 7.5 CVE-2021-33198 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 2.6.10 RPMs security and bug fix update Advisory ID: RHSA-2022:1402-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:1402 Issue date: 2022-04-19 CVE Names: CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 2.6.10 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CNV 2.6 for RHEL 7 - x86_64 CNV 2.6 for RHEL 8 - x86_64 3. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 2.6.10 RPMs. Security Fix(es): * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 2051113 - 2.6.10 rpms 6. Package List: CNV 2.6 for RHEL 7: Source: kubevirt-2.6.10-230.el7.src.rpm x86_64: kubevirt-virtctl-2.6.10-230.el7.x86_64.rpm kubevirt-virtctl-redistributable-2.6.10-230.el7.x86_64.rpm CNV 2.6 for RHEL 8: Source: kubevirt-2.6.10-230.el8.src.rpm x86_64: kubevirt-virtctl-2.6.10-230.el8.x86_64.rpm kubevirt-virtctl-redistributable-2.6.10-230.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7uftzjgjWX9erEAQga0g//Uuj2PhJ9sjQLWl6NCvZ0u8clCtMPCUIJ RBMwzmvsspsqGBGIHVDYRGU9EAf+F082B5wHUU+SXCDonbpfvWTu+hI+aLiTLKTY T2zJE8q1b6qMXk4FOcBxKgnaGuEW/snfwPnqOPrmDpK/DLe1cpmZ+dGu4prxg8PL 1HZj2ASEyeR3E1YK0JzWVDINeCXFoNAJeVa7Xf48iFcpqPgVOL3g6DQAVd4PoqoL QgfA6fhEpine9ADuxtLKKlbulosJSX2v1xlWRBDLeHQ1pmCUBys9xB6v7I+3LfYb QAz8JPrQMZu6N/3+wTp5aHWOeKD7kERDQOXXkDO59qz4hjB0a9xZsKM+3mPv5lnT UAfsjjUhDzc0Ya35A/Keawf0roySEGAxQ3L1ceuTBnarWp9v0ZooKA6uAGKXxhhx agn02J9TzC3bAh88NUlHUXFMslQkJMrFy7edtvzumN2IdFxDHRyN1okj86uLuxiB D5mAjjRXN6ezESZGayZVJiZTKHwesk+/7tGgvxUcKQiNaHZYAbQuSwI3T4cVjPME p/MY6MFhcXocE+HeFl43Dr51aXq1axahQcN1GahIjZW139Vjhp6kaQSjV+ofj/oP XzEWhSC1g5x/h9wM4nexo7Lcy4Mp+qVVL4Xn5lXNWNLyb06aiPhoQEGcrZIr4hnO dSKQq2JB3GQ= =a2y4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XVeNLKJtyKPYoAQhUiQ//ZXOwyS1ov32HnGfRU1z4XAUN6RouGzYR LMsSEVthC20d6ueqv6aIy2INDqZGstbrPWz5hqw5FG+pHLv3lBqHrIPm5ROOrVa4 6oSVRHTjMLnYjfmeaBgIvWzgnpOJ/Gz2rNecIuqndmEdNSMdQ70ri5HcIMx7ZHnK cjmUXOoSeOkmrYMBMMODJPQ/9Jaj4WoOsTobBQgGBM2qPy2VvIotH+TfQ8PwirDm Kp/tuw8/+wIFCNWCKqvYyAa4vWm2P/n3DTwGbCk7Uk91d+Gw3e7IqLVlRgzJwm4/ 9YVS3ZwV5RMXaQK4QcRS5657b5VxS9D5szUKyLNly/wh5ZxErAuDLF9Q630B8Gyv fI1I14hjTOxxFHMP+mvJpZhG+BzWa4WBADuGzLWhf45Z0Ol/WfD+2rka63Zcakr+ 3ekcjDQLwgJKV+DF/x0q7NJV81qc6jtXGr6KBY/Mu52RdukTBxpI9BEpeuISKqGg Nc9+CoFLKy1oD5T+tDejha9+WOptpiWY7doErQJk44p68DpTxDbXXczSdQCNNi78 jA0cCcLmlpldmy1tr0ZpcN36Wh3PZZatNHI1HkJ5brrbK65cAYB5w+YvLGqQ8vHy Z2/kvjP43dYxW4CGzna5mt7DdRRYsBGuBVmtaj1lTchkZLpewK7L/wuHiZFF9jKc NFf49qgSJOw= =n8dr -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1677 - [RedHat] Migration Toolkit for Containers (MTC) 1.5.4: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1677 Migration Toolkit for Containers (MTC) 1.5.4 security update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Migration Toolkit for Containers (MTC) 1.5.4 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25315 CVE-2022-25236 CVE-2022-25235 CVE-2022-24407 CVE-2022-23852 CVE-2022-23308 CVE-2022-23219 CVE-2022-23218 CVE-2022-22942 CVE-2022-22827 CVE-2022-22826 CVE-2022-22825 CVE-2022-22824 CVE-2022-22823 CVE-2022-22822 CVE-2022-22817 CVE-2022-22816 CVE-2022-0847 CVE-2022-0778 CVE-2022-0532 CVE-2022-0516 CVE-2022-0492 CVE-2022-0435 CVE-2022-0413 CVE-2022-0392 CVE-2022-0361 CVE-2022-0359 CVE-2022-0330 CVE-2022-0318 CVE-2022-0261 CVE-2021-46143 CVE-2021-45960 CVE-2021-44717 CVE-2021-44716 CVE-2021-42574 CVE-2021-41190 CVE-2021-36221 CVE-2021-36087 CVE-2021-36086 CVE-2021-36085 CVE-2021-36084 CVE-2021-33560 CVE-2021-31566 CVE-2021-28153 CVE-2021-23177 CVE-2021-22925 CVE-2021-22898 CVE-2021-22876 CVE-2021-21684 CVE-2021-20232 CVE-2021-20231 CVE-2021-4154 CVE-2021-4122 CVE-2021-3999 CVE-2021-3800 CVE-2021-3580 CVE-2021-3572 CVE-2021-3521 CVE-2021-3445 CVE-2021-3426 CVE-2021-3200 CVE-2021-0920 CVE-2020-25710 CVE-2020-25709 CVE-2020-24370 CVE-2020-16135 CVE-2020-14155 CVE-2020-13435 CVE-2020-12762 CVE-2019-20838 CVE-2019-19603 CVE-2019-18218 CVE-2019-17595 CVE-2019-17594 CVE-2019-13751 CVE-2019-13750 CVE-2019-5827 CVE-2014-3577 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1396 Comment: CVSS (Max): 9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.5.4 security update Advisory ID: RHSA-2022:1396-01 Product: Red Hat Migration Toolkit Advisory URL: https://access.redhat.com/errata/RHSA-2022:1396 Issue date: 2022-04-19 CVE Names: CVE-2014-3577 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2020-25709 CVE-2020-25710 CVE-2021-0920 CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 CVE-2021-3521 CVE-2021-3572 CVE-2021-3580 CVE-2021-3800 CVE-2021-3999 CVE-2021-4122 CVE-2021-4154 CVE-2021-20231 CVE-2021-20232 CVE-2021-21684 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-23177 CVE-2021-28153 CVE-2021-31566 CVE-2021-33560 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-36221 CVE-2021-41190 CVE-2021-42574 CVE-2021-44716 CVE-2021-44717 CVE-2021-45960 CVE-2021-46143 CVE-2022-0261 CVE-2022-0318 CVE-2022-0330 CVE-2022-0359 CVE-2022-0361 CVE-2022-0392 CVE-2022-0413 CVE-2022-0435 CVE-2022-0492 CVE-2022-0516 CVE-2022-0532 CVE-2022-0778 CVE-2022-0847 CVE-2022-22816 CVE-2022-22817 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-22942 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 ===================================================================== 1. Summary: The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es): * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 5. References: https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-25709 https://access.redhat.com/security/cve/CVE-2020-25710 https://access.redhat.com/security/cve/CVE-2021-0920 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3426 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3572 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-3999 https://access.redhat.com/security/cve/CVE-2021-4122 https://access.redhat.com/security/cve/CVE-2021-4154 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-21684 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-41190 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-0261 https://access.redhat.com/security/cve/CVE-2022-0318 https://access.redhat.com/security/cve/CVE-2022-0330 https://access.redhat.com/security/cve/CVE-2022-0359 https://access.redhat.com/security/cve/CVE-2022-0361 https://access.redhat.com/security/cve/CVE-2022-0392 https://access.redhat.com/security/cve/CVE-2022-0413 https://access.redhat.com/security/cve/CVE-2022-0435 https://access.redhat.com/security/cve/CVE-2022-0492 https://access.redhat.com/security/cve/CVE-2022-0516 https://access.redhat.com/security/cve/CVE-2022-0532 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-0847 https://access.redhat.com/security/cve/CVE-2022-22816 https://access.redhat.com/security/cve/CVE-2022-22817 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-22942 https://access.redhat.com/security/cve/CVE-2022-23218 https://access.redhat.com/security/cve/CVE-2022-23219 https://access.redhat.com/security/cve/CVE-2022-23308 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7undzjgjWX9erEAQiqnA//coS+jbyEFQN1aAdPyLbi2n3NcYI984MP Jb+dx3PPN+OZ+W8pXqp786iVzD5rPvpuFc4M0COp+Ambsfw3VZCmGk9+R4KtiMi/ tK0GXP0A+t91IeyEhGcOcUtruivBaToMwriBCLwPGSduTy67eEYA5z50yilDWyP/ dwksdQFru9fFtNo6ssWZg0bk4+p37fxkH2RqRrVRSNlRZMqW6of1gj77mx+YBBHU p5NOxg00+0JuUyvvzVAWRAk5i5lTETiO85uDZLhv01YzBDHnroQxj2BmprXVSneZ U7ToSzYjTYHN3uUdO23ytBRTAB3Sw8yIlVHSoPhQBO8pBmzIh/MC3dGgwdfp/QRk cdlVKMN4wfq9k693qVgMlUFIqGC05VMDqd5ftpVWdOlb71fxE2yCiawJeg2bgA9x eiEiAF2mCcQgFrEQUZz3NkQ1Ck9KLlkGDDucCJldWo2JB2OgP9ZocwvlrtwuaEQF lJ7ltPPMB/5mPuFiccqhKNP1uDU4LsMve7+eJtXvi9au/A8DCF3H5wGnufNRNxg1 o4e1BUL0e8WLkpaeqfioz+h98udNi6DRN1x9a1rs7HjKAgDneqWq1QdvWPrD1Xmw 8E5l/kiIOZgHdKV37//oF/InpGnxdO2mGHge+KSrwkMBZ05hfqhv0ika0SNcMFB2 APVsdFf7Z0E= =TaCO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XP+NLKJtyKPYoAQhDYA/9FbL9K7n8EvCzaTb9xSL+UTus0pk/5s/7 dq4lySHB+Ongx6l2ZpvivKvBaNVekL3jz9X4k/YZYlB/hd5+79aD0d61BpCQ+s9k zo57jxto+9hl/KfaOsxoY62MxIZPJFbSnwZoVBH6snOswJqdQH9DjCu0VYbmHZ4m UftB7eOYi5m8dpuC8AmhhlihVimpRQtPJ8ZdXB+xaOMeffoRmkJizSneiBM44OIy ghYplsMVgT6BQRsR8NMi4XncsroOebjBI9oZKlpWbLYgUmRE1S4awCyVse1pBDX6 URDufkNtvv/aw/b3NEA2O8aZsTeH7mSV2pdjeDZ5Y4cK4VWi+u/ciUoVCKwupQ3Z 7s9eKXauDw9eqRqHQs8918iAntzdyi+dSb8FPVFpElIYp/YFsNgff+BzEkjJzAxX o6zds7AwdMFtgpoZD3yJJ2Qhs9hwtb3ydOaSz9L/0MHven+bbQVr4rSBNyOPBaed aemnMyw2zB85qGr/77hRLduwl/fgk5MotvkLFecc9hKnPkOzpDZ8akdPc1r942kq J0v8lJ+UL+9beqy0DPFCsURd2or7u3XKbOyHTid2iEYWY7myrUL6uFxC7g28bnl8 0qcvNZf/q1FeYE+7kcnmBvM69gtDw7viKvFsBfDCmEgQg2cgV4BuX0n4pjWymyyo WGKI0fgfWt0= =Xh+0 -----END PGP SIGNATURE-----
2022. április 20.

ESB-2022.1676 - [RedHat] Red Hat Ceph Storage 3: CVSS (Max): 8.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1676 Red Hat Ceph Storage 3 Security and Bug Fix update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Ceph Storage 3 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-20288 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1394 Comment: CVSS (Max): 8.0 CVE-2021-20288 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Ceph Storage 3 Security and Bug Fix update Advisory ID: RHSA-2022:1394-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2022:1394 Issue date: 2022-04-19 CVE Names: CVE-2021-20288 ===================================================================== 1. Summary: An update is now available for Red Hat Ceph Storage 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Ceph Storage 3 MON - ELS - ppc64le, x86_64 Red Hat Ceph Storage 3 OSD - ELS - ppc64le, x86_64 Red Hat Ceph Storage 3 Tools - ELS - noarch, ppc64le, x86_64 3. Description: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. Security Fix(es): * ceph: Unauthorized global_id reuse in cephx (CVE-2021-20288) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1938031 - CVE-2021-20288 ceph: Unauthorized global_id reuse in cephx 2068353 - [Ceph-ansible]: Adding osd using add-osd.yml fails 2069491 - [Ceph-ansible]: RHCS deployment fails for non-devices osd scenario 2071676 - Adding rgw using site-container.yml with limit fails 6. Package List: Red Hat Ceph Storage 3 MON - ELS: Source: ceph-12.2.12-141.el7cp.src.rpm ppc64le: ceph-base-12.2.12-141.el7cp.ppc64le.rpm ceph-common-12.2.12-141.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-141.el7cp.ppc64le.rpm ceph-mgr-12.2.12-141.el7cp.ppc64le.rpm ceph-mon-12.2.12-141.el7cp.ppc64le.rpm ceph-selinux-12.2.12-141.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-141.el7cp.ppc64le.rpm libcephfs2-12.2.12-141.el7cp.ppc64le.rpm librados-devel-12.2.12-141.el7cp.ppc64le.rpm librados2-12.2.12-141.el7cp.ppc64le.rpm libradosstriper1-12.2.12-141.el7cp.ppc64le.rpm librbd-devel-12.2.12-141.el7cp.ppc64le.rpm librbd1-12.2.12-141.el7cp.ppc64le.rpm librgw-devel-12.2.12-141.el7cp.ppc64le.rpm librgw2-12.2.12-141.el7cp.ppc64le.rpm python-cephfs-12.2.12-141.el7cp.ppc64le.rpm python-rados-12.2.12-141.el7cp.ppc64le.rpm python-rbd-12.2.12-141.el7cp.ppc64le.rpm python-rgw-12.2.12-141.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-141.el7cp.x86_64.rpm ceph-common-12.2.12-141.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-141.el7cp.x86_64.rpm ceph-mgr-12.2.12-141.el7cp.x86_64.rpm ceph-mon-12.2.12-141.el7cp.x86_64.rpm ceph-selinux-12.2.12-141.el7cp.x86_64.rpm ceph-test-12.2.12-141.el7cp.x86_64.rpm libcephfs-devel-12.2.12-141.el7cp.x86_64.rpm libcephfs2-12.2.12-141.el7cp.x86_64.rpm librados-devel-12.2.12-141.el7cp.x86_64.rpm librados2-12.2.12-141.el7cp.x86_64.rpm libradosstriper1-12.2.12-141.el7cp.x86_64.rpm librbd-devel-12.2.12-141.el7cp.x86_64.rpm librbd1-12.2.12-141.el7cp.x86_64.rpm librgw-devel-12.2.12-141.el7cp.x86_64.rpm librgw2-12.2.12-141.el7cp.x86_64.rpm python-cephfs-12.2.12-141.el7cp.x86_64.rpm python-rados-12.2.12-141.el7cp.x86_64.rpm python-rbd-12.2.12-141.el7cp.x86_64.rpm python-rgw-12.2.12-141.el7cp.x86_64.rpm Red Hat Ceph Storage 3 OSD - ELS: Source: ceph-12.2.12-141.el7cp.src.rpm ppc64le: ceph-base-12.2.12-141.el7cp.ppc64le.rpm ceph-common-12.2.12-141.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-141.el7cp.ppc64le.rpm ceph-osd-12.2.12-141.el7cp.ppc64le.rpm ceph-selinux-12.2.12-141.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-141.el7cp.ppc64le.rpm libcephfs2-12.2.12-141.el7cp.ppc64le.rpm librados-devel-12.2.12-141.el7cp.ppc64le.rpm librados2-12.2.12-141.el7cp.ppc64le.rpm libradosstriper1-12.2.12-141.el7cp.ppc64le.rpm librbd-devel-12.2.12-141.el7cp.ppc64le.rpm librbd1-12.2.12-141.el7cp.ppc64le.rpm librgw-devel-12.2.12-141.el7cp.ppc64le.rpm librgw2-12.2.12-141.el7cp.ppc64le.rpm python-cephfs-12.2.12-141.el7cp.ppc64le.rpm python-rados-12.2.12-141.el7cp.ppc64le.rpm python-rbd-12.2.12-141.el7cp.ppc64le.rpm python-rgw-12.2.12-141.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-141.el7cp.x86_64.rpm ceph-common-12.2.12-141.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-141.el7cp.x86_64.rpm ceph-osd-12.2.12-141.el7cp.x86_64.rpm ceph-selinux-12.2.12-141.el7cp.x86_64.rpm ceph-test-12.2.12-141.el7cp.x86_64.rpm libcephfs-devel-12.2.12-141.el7cp.x86_64.rpm libcephfs2-12.2.12-141.el7cp.x86_64.rpm librados-devel-12.2.12-141.el7cp.x86_64.rpm librados2-12.2.12-141.el7cp.x86_64.rpm libradosstriper1-12.2.12-141.el7cp.x86_64.rpm librbd-devel-12.2.12-141.el7cp.x86_64.rpm librbd1-12.2.12-141.el7cp.x86_64.rpm librgw-devel-12.2.12-141.el7cp.x86_64.rpm librgw2-12.2.12-141.el7cp.x86_64.rpm python-cephfs-12.2.12-141.el7cp.x86_64.rpm python-rados-12.2.12-141.el7cp.x86_64.rpm python-rbd-12.2.12-141.el7cp.x86_64.rpm python-rgw-12.2.12-141.el7cp.x86_64.rpm Red Hat Ceph Storage 3 Tools - ELS: Source: ceph-12.2.12-141.el7cp.src.rpm ceph-ansible-3.2.59-1.el7cp.src.rpm noarch: ceph-ansible-3.2.59-1.el7cp.noarch.rpm ppc64le: ceph-base-12.2.12-141.el7cp.ppc64le.rpm ceph-common-12.2.12-141.el7cp.ppc64le.rpm ceph-debuginfo-12.2.12-141.el7cp.ppc64le.rpm ceph-fuse-12.2.12-141.el7cp.ppc64le.rpm ceph-mds-12.2.12-141.el7cp.ppc64le.rpm ceph-radosgw-12.2.12-141.el7cp.ppc64le.rpm ceph-selinux-12.2.12-141.el7cp.ppc64le.rpm libcephfs-devel-12.2.12-141.el7cp.ppc64le.rpm libcephfs2-12.2.12-141.el7cp.ppc64le.rpm librados-devel-12.2.12-141.el7cp.ppc64le.rpm librados2-12.2.12-141.el7cp.ppc64le.rpm libradosstriper1-12.2.12-141.el7cp.ppc64le.rpm librbd-devel-12.2.12-141.el7cp.ppc64le.rpm librbd1-12.2.12-141.el7cp.ppc64le.rpm librgw-devel-12.2.12-141.el7cp.ppc64le.rpm librgw2-12.2.12-141.el7cp.ppc64le.rpm python-cephfs-12.2.12-141.el7cp.ppc64le.rpm python-rados-12.2.12-141.el7cp.ppc64le.rpm python-rbd-12.2.12-141.el7cp.ppc64le.rpm python-rgw-12.2.12-141.el7cp.ppc64le.rpm rbd-mirror-12.2.12-141.el7cp.ppc64le.rpm x86_64: ceph-base-12.2.12-141.el7cp.x86_64.rpm ceph-common-12.2.12-141.el7cp.x86_64.rpm ceph-debuginfo-12.2.12-141.el7cp.x86_64.rpm ceph-fuse-12.2.12-141.el7cp.x86_64.rpm ceph-mds-12.2.12-141.el7cp.x86_64.rpm ceph-radosgw-12.2.12-141.el7cp.x86_64.rpm ceph-selinux-12.2.12-141.el7cp.x86_64.rpm libcephfs-devel-12.2.12-141.el7cp.x86_64.rpm libcephfs2-12.2.12-141.el7cp.x86_64.rpm librados-devel-12.2.12-141.el7cp.x86_64.rpm librados2-12.2.12-141.el7cp.x86_64.rpm libradosstriper1-12.2.12-141.el7cp.x86_64.rpm librbd-devel-12.2.12-141.el7cp.x86_64.rpm librbd1-12.2.12-141.el7cp.x86_64.rpm librgw-devel-12.2.12-141.el7cp.x86_64.rpm librgw2-12.2.12-141.el7cp.x86_64.rpm python-cephfs-12.2.12-141.el7cp.x86_64.rpm python-rados-12.2.12-141.el7cp.x86_64.rpm python-rbd-12.2.12-141.el7cp.x86_64.rpm python-rgw-12.2.12-141.el7cp.x86_64.rpm rbd-mirror-12.2.12-141.el7cp.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20288 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYl7ub9zjgjWX9erEAQinLg//XkldX2Himghu5oIT4krOlNRS0I82Xxj6 s/OJHAmF5kmSsnoNxcQd6/j4rltRXX5ndsDeRhEeC6KYNqnIJoKnMT80GSv+KUKi 4nIyLCbLysO2FXqLF4HtTmMjJ65IzfVIEpFer/8o/YnALMqUqK0z6kreRCJL+9Ww M/ShJR2llQTR1rh+5HlM0jZgbDVGgjTdv3OlU6nfJxo1CEwZiPuuHH6nmV3SmM3B WhWGy+C5xfTUjKdHI3SNDhU7zUm6e7tPb13ZBvF9AZG+gOPgoasMMcih9mHzmR+p eUh+/MPE/5gGcgTrQEuLcQ0XeA1J1KCzLx5VRmI2u7JK4wrXx5/OzgFdJYGI5FQx uUZkLS+Mn+p3vbdguPe72/5HFIPiv7IyNoisE7BRRyiLBF60WljolNGxD76XwOK7 bauJEUNlJVk8fK3dtS5AvMemVnzKrb3tTDEEUFbbqsnpRH+u2SlqnRJlRk2ZJpMs jbkNRe08w2nnZ/0cw9BO1WagUYVV3p4KfjsqS3cQDFSaeGw026bHj4g1x8/sp1Ua lFiy6kAtrp2WrpwICTrbtu5nSnIGmta+teuu3JTdCs3Ysp2zbicMg/27IJPfYNZn aGkjmaFA0vprzyiV3zG/Gl113pCejL81iaQTc1fD5Qwp+68BBSZtYXBh7i8jahp1 1imSeVAkN+A= =piMe - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl9XJONLKJtyKPYoAQiypw//aIun/iB5gs3gRmMONn8nlz45rFWO4i6V 52Z6/sBPUd6thN0AyOyYNowD1We46w7AMHgi/004LDhTCAcNrOBVX7xtaoqgnqhY g4BoI0ZR6ybrIIRswmGumMpLyUK6LQ/scDodMkAokc46hWS7L2WT7wmn7cFrFpJ5 HRYs9ekJViAnyHIgODjEeHIEif8J60VkBIjRFg6stDEdv/1E4L+4aqr433jUaJxh Z/DVrUFCNZzV1oA1dTn59N/z9zn45Q8NK25AEvraDQxbxY2Apg4XydxAfqJ5Pils Y+8/jbTxJ0IkWydU93AM9Y2RbRs3mzLbL8pE51qo2v+6etA4wY/S+9ORvTbJZEAD TKRo1BrT8djybxVVyhQ5ard5zQ9ziK+gwyWckyA0L8Gbvk5+wPQtD9Fvomw93Dft VzHSR7lFKM/Op2LNVjM01VhqVcOpOk5SryQEZlvT7WaeOUEtuKbOh/+9ho9Yx8g8 rOQw07kWZnPzPadZZawe0t+4IcG/Szc7ew9QZVrOqjRSZFYecMqAGFI1W6yIwe9N 0f+kzYJrMqEkeHZAR8XNo13qbSlhhLhYKigxlXcjngDgPowXv5P+eDePtA7v1MGd iTMN2J0PRt5rFTERWuX70a7C0P+Xlv95Ssd3o3XUuKrj1ldLexgOfrjH6AUG6DqL gYuvgszCpSE= =VByV -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1675 - [RedHat] Red Hat Decision Manager 7.12.1: CVSS (Max): 8.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1675 Red Hat Decision Manager 7.12.1 security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Decision Manager 7.12.1 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22965 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1379 Comment: CVSS (Max): 8.1 CVE-2022-22965 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Decision Manager 7.12.1 security update Advisory ID: RHSA-2022:1379-01 Product: Red Hat Decision Manager Advisory URL: https://access.redhat.com/errata/RHSA-2022:1379 Issue date: 2022-04-14 CVE Names: CVE-2022-22965 ===================================================================== 1. Summary: An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and business optimization for solving planning problems. It automates business decisions and makes that logic available to the entire business. This asynchronous security patch is an update to Red Hat Decision Manager 7. Security Fix(es): * spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: A Spring MVC or Spring WebFlux application running on JDK 9 and above might be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. This release upgrades Spring to 5.3.18 and Spring Boot to 2.6.6 which fixes the Spring MVC and WebFlux jars. For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+ 5. References: https://access.redhat.com/security/cve/CVE-2022-22965 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/security/vulnerabilities/RHSB-2022-003 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=rhdm&version=7.12.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlidHNzjgjWX9erEAQhBihAApV3yXc8aEuRq9fMKL4EnxKcmHt9dgnX2 /Xsdp+isSEvWlE+TC/Ou0tptT1ZPfO3Adm/bXbsboaiq790W+aF8qHEYuA+WxtRW RY9cx4AS/QfRo+puk36QAWUSEx4WzKeU1no/5A7hezcPxIEGP+EdSX4DgDaVW9mB CZndXwiYAzLyYgVFI/y5AJP8CPZTvwFjdunOBDwqqNsKiVgFOjqHMJo/X+yus4bU aFF0BAsA0OVCrjdnWV0fUqF1iON8cbELW7JqkGobM22PZZ6ngxzTXUTbvD1QovLM Cbj2Ay7l7DHH/3v9Hqk7NLpzp/fa9Z/lQ5c+3okHu0QvanphRllsC893/KGGMXfa 7+S3iWFKV2cJ2249z01eZgX30s7rlSlFRTB9hUlitWLiYaMkWWW0iqt0+2cPkjDv zP0hy1pYCyCFLluS85FVqW/9HBItNwReuXp9Vv3JqDy8L5+DIVv4WmSYcr4LCcj2 EC5WsIjNW7G4dL0RCukt+HascGTD+huNbzsrDuln4vQJ2HG+4vmH7Cmmlr4MvpHD Bw4BW6UI8a09axvbUVi2x+w1qTTdiO9J1x4ngaFKjbvItNpT3VRB3YfLcPck1Zv6 DCEC2g11LdPnO2JR5M6t2eMsFlkfLDtqDFotVVzGLBXQWj7I5R2YK+OPrEF2dnXD Pjhf0e6lKl4= =xaz4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5Et+NLKJtyKPYoAQjGFhAApI1dcHy/TKnPj4TI2vDiwomyFfhr8Cc8 oh1dhzYZx4bD0HZXzqMwDndhzPqXf6hr55+D3R+keVPlibNDUNnZW2WRnh1hz8xc LTN5NBjrbPHWtEBg3AUefnCSUIBfxInbpAkd+9CY3galf8h1RhvkmssuaePBFsuj VlyCy8I5BOg5dVq+252SqUYc1V718m0GM/tInYnHw4ZB50KeK42LMKNs1H7zkHa7 jRZ63zSwLqzb6Ak0tl9HRSAI9VvlHSAV9E8clKH0GypqpAvtzJ90OJ3KK+c9Yery qSKKoBuL2YgdB1mvps7Y3VCXkttpdk9K5YkZTeStTD41XPSv2+ZfgxXOzEOBMxRu UlkTzve8aTPFzs18sdvoUbyAR6Je0HXNdEgo4J4km6aOPUWCXFHJwCKVB6pd9ddt NXSK/EizK8CsCQrdOBgAqP+wnvyC5RRP4b7l4+fIP9fDu63B0HDUj+wWS7exqqh4 kNUXKwn1iBqcVC+yzcQn7HN9G1RdLdwrSwyq/WnHuA4NPWHMdV4+nTNcQLVpf9Yi Db8oMTGJ0bZ2QALAOHaFVlsJ6rWSn9GfhsAXMW7MB52bun/ssLAeUqQ0wEn6Vg5Y VpQTPVb3QmH1OHECxsnmB1NFCAL6uY4Mw8h06kuGRqdljPQbXUKLuWhP1i+ttRAe oMRt//LJzr8= =4L6y -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1674 - [RedHat] Red Hat Process Automation Manager 7.12.1: CVSS (Max): 8.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1674 Red Hat Process Automation Manager 7.12.1 security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Process Automation Manager 7.12.1 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22965 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1378 Comment: CVSS (Max): 8.1 CVE-2022-22965 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Process Automation Manager 7.12.1 security update Advisory ID: RHSA-2022:1378-01 Product: Red Hat Process Automation Manager Advisory URL: https://access.redhat.com/errata/RHSA-2022:1378 Issue date: 2022-04-14 CVE Names: CVE-2022-22965 ===================================================================== 1. Summary: An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Security Fix(es): * spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: A Spring MVC or Spring WebFlux application running on JDK 9 and above may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. This release upgrades Spring to 5.3.18 and Spring Boot to 2.6.6 which fixes the Spring MVC and WebFlux jars. For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+ 5. References: https://access.redhat.com/security/cve/CVE-2022-22965 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/security/vulnerabilities/RHSB-2022-003 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam&downloadType=securityPatches&version=7.12.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlidJtzjgjWX9erEAQj9qw//Tpvclr+/j53jkkMoXgsNRkBO7PN0SMLb 66T7YlFnn7dqKxAtpTMGVlVTT7ulN1ANxLwcb6+6GpvKAeYGKJHKgerMag1RL2NJ /6PAstNRQkbm99XfFdhI30hUu89pX2u3kN5mneH1mzgha73wgAm8t0Z2tAf2uTCk MfvtTSO7NbBPAjSccPebIOgAULsBHifXop82oF6YWeVJvm1gcrd8fFvq7fSqGDxU rWa+eheQzxxwrfADv3xQu/Xe8z2t0ImiYpZAdAdeozBEQ+MFZNEafXu1TBwmVbYo Rg0lL3lK6aYslpaWC48JdVRcoprAgZ6B1nH7D4cfOzl+R7MeCu3ixNQ/lpN3kheB 1RjhSCvRnNunS/7YBri0rFCFTBBVrbq9AnMWvvrwBRZOi1zhn2OW++QEi0XYVLyy f95wUvdOYs7xFTDOO2DReQC3hiBqn6IbRMLNvrlgRc21pMPxIJz6Fr6N8qtDZ7O1 WlOg0lstGeGGradAZWiNhYfMsdSVBw0BDtgTvm6i2KAOBHNuxgN5/6GYGHUJyUuf mccTr9QwSAaLOMDI5WkPe/CvEBVfrJ5KE/vVLy129V737nWYbWcnAJFAPj6iI/xN 0BiHJ87LKW4wl/eVTit/+KBewAFC8XOe/4GtEFYNhj1Dagl5UysFS4WfFNJid7i2 agmYcTpNsDY= =GOae - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5EkONLKJtyKPYoAQj99hAAiHYykm2FTTzXPE5i7/Xjrd+ZjUwkCND4 ebqY1/20zCa0rouhAEoDvbo/UhM6dHgpy6C2gu36LliQcQeIdt3Zf/G2M3YC7jJx rvy2vFiiSSCZZ2PaXufWI+4MCTiE1B5KqlfI9kqZPPsCSvTX2Q2hIOE8lvhtR0oa fHtuGbSeuw/wWuxiZvHJbR5nF0RuObbFa4f3Qs4s7Fkgr2XFPWshfYQsXWuI2pvF WU4s3vWdSAJE5Cd9hutSL8aexMf/ndXZECMDLw6NnJIUge6AyTowKmFVb5cLr8Uh jnysR+4p4xWH4IEqa+B3DjPjlrBBYST3XoGFVTQMJhrtEX4kfC/8GjSX/qxzcGta 1kO83f8KTKe7moZQlo5Lt0Vo10SVA6caK6BmUSPXKIbs+lGEmiC4qcp8+WDUiW9p 3qeXC+DCAFx35ntV0TPtPJu1ruDTS7jULzuacA3sgja4jEPh5ZwgNF59Cht3mE2H zoRpfH5VIGnVt/6g+SiMaMOZZ+A59BEqvyeOJFTBbW0ybbn5EhUO4mraqe+NPExX wtBiiqR2IZnT4C8spVhZM/Xv31Vmwm9EsDfW5rKgmjABVDyPBSaLpnePZR1b859Y fynFOxKGO9brOiQ3dlPIC45+6pFQCOTeAO6qkK6xpqHn2Oo3QO1kzAXPKu3bDoqx 5WmogMzoiPs= =44Uq -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1673 - [RedHat] Red Hat OpenShift Data Foundation 4.10.0: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1673 Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Data Foundation 4.10.0 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-44717 CVE-2021-44716 CVE-2021-43565 CVE-2021-36221 CVE-2021-34558 CVE-2021-29923 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1372 Comment: CVSS (Max): 7.5 CVE-2021-44716 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update Advisory ID: RHSA-2022:1372-01 Product: RHODF Advisory URL: https://access.redhat.com/errata/RHSA-2022:1372 Issue date: 2022-04-13 CVE Names: CVE-2021-29923 CVE-2021-34558 CVE-2021-36221 CVE-2021-43565 CVE-2021-44716 CVE-2021-44717 ===================================================================== 1. Summary: Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.10.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565) * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717) * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) Bug Fix(es): These updated packages include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes: https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.10/html/4.10_release_notes/index All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements. or more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1898988 - [RFE] OCS CephFS External Mode Multi-tenancy. Add cephfs subvolumegroup and path= caps per cluster. 1954708 - [GSS][RFE] Restrict Noobaa from creating public endpoints for Azure Private Cluster 1956418 - [GSS][RFE] Automatic space reclaimation for RBD 1970123 - [GSS] [Azure] NooBaa insecure StorageAccount does not allow for TLS 1.2 1972190 - Attempt to remove pv-pool based noobaa-default-backing-store fails and makes this pool stuck in Rejected state 1974344 - critical ClusterObjectStoreState alert firing after installation of arbiter storage cluster, likely because ceph object user for cephobjectstore fails to be created, when storagecluster is reinstalled 1981341 - Changing a namespacestore's targetBucket field doesn't check whether the target bucket actually exists 1981694 - Restrict Noobaa from creating public endpoints for IBM ROKS Private cluster 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1991462 - helper pod runs with root privileges during Must-gather collection(affects ODF Managed Services) 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 1996830 - OCS external mode should allow specifying names for all Ceph auth principals 1996833 - ceph-external-cluster-details-exporter.py should have a read-only mode 1999689 - Integrate upgrade testing from ocs-ci to the acceptance job for final builds before important milestones 1999952 - Automate the creation of cephobjectstoreuser for obc metrics collector 2003532 - [Tracker for RHEL BZ #2008825] Node upgrade failed due to "expected target osImageURL" MCD error 2005801 - [KMS] Tenant config does not override backendpath if the key is specified in UPPER_CASE 2005919 - [DR] [Tracker for BZ #2008587] when Relocate action is performed and the Application is deleted completely rbd image is not getting deleted on secondary site 2021313 - [GSS] Cannot delete pool 2022424 - System capacity card shows infinity % as used capacity. 2022693 - [RFE] ODF health should reflect the health of Ceph + NooBaa 2024107 - Retrieval of cached objects with `s3 sync` after change in object size in underlying storage results in an InvalidRange error 2024545 - Overprovision Level Policy Control doesn't support custom storageclass 2026007 - Use ceph 'osd safe-to-destroy' feature in OSD purge job 2027666 - [DR] CephBlockPool resources reports wrong mirroringStatus 2027826 - OSD Removal template needs to expose option to force remove the OSD 2028559 - OBC stuck on pending post node failure recovery 2029413 - [DR] Dummy image size is same as the size of image for which it was created 2030602 - MCG not reporting standardized metric correctly for usage 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error 2030839 - Concecutive dashes in OBC name 2031023 - "dbStorageClassName" goes missing in storage cluster yaml for mcg standalone mode 2031705 - [GSS] OBC is not visible by admin of a Project on Console 2032404 - After a node restart, the RGW pod is stuck in a CrashLoopBackOff state 2032412 - [DR] After Failback and PVC deletion the rbd images are left in trash 2032656 - Rook not recovering when deleting osd deployment with kms encryption 2032969 - No RBD mirroring daemon down alert when daemon is down 2032984 - After creating a new SC it redirects to 404 error page instead of the "StorageSystems" page 2033251 - Fix ODF 4.9 compatibility with OCP 4.10 2034003 - NooBaa endpoint pod Terminated before new one comes in Running state after editing the configmap 2034805 - upgrade not started for ODF 4.10 2034904 - OCS operator version differ in CLI commands. 2035774 - Must Gather, Ceph files do not exist on MG directory 2035995 - [GSS] odf-operator-controller-manager is in CLBO with OOM kill while upgrading OCS-4.8 to ODF-4.9 2036018 - ROOK_CSI_* overrides missing from the CSV in 4.10 2036211 - [GSS] noobaa-endpoint becomes CrashLoopBackOff when uploading metrics data to bucket 2037279 - [Azure] OSDs go into CLBO state while mounting an RBD PVC 2037318 - Helper Pod doesn't come up for MCG only must-gather 2037497 - Concecutive dashes in OBC name 2038884 - noobaa-operator is stuck in a CrashLoopBackOff (r.OBC is nil, invalid memory address or nil pointer dereference) 2039240 - [KMS] Deployment of ODF cluster fails when cluster wide encryption is enabled using service account for KMS auth 2040682 - [GSS] Complete multipart upload operation fails with error ' Cannot read property 'sort' of undefined' 2041507 - Missing add modal for action "add capacity" in UI . 2042866 - must gather does not collect the yaml or describe output of the subscription 2043017 - "CSI Addons" operator is not hidden in OperatorHub and Installed Operators page 2043028 - the CSI-Addons sidecar is not automatically deployed, requires enabling in Rook ConfigMap 2043406 - ReclaimSpaceJob status showing "reclaimedSpace" value as "0" 2043513 - [Tracker for Ceph BZ 2044836] mon is in CLBO after upgrading to 4.10-113 2044447 - ODF 4.9 deployment fails when deployed using the ODF managed service deployer (ocs-osd-deployer) 2044823 - Update CSI sidecars to the latest release for 4.10 2045084 - [SNO] controller-manager state is CreateContainerError 2046186 - A TODO text block in the API browser 2046254 - Topolvm-controller is failing to pull image 2046677 - Reclaimspacecronjob is not created after adding the annotation reclaimspace.csiaddons.openshift.io/schedule in PVC 2046766 - [IBM Z]: csi-rbdplugin pods failed to come up due to ImagePullBackOff from the "csiaddons" registry 2046887 - use KMS_PROVIDER name for IBM key protect service as "ibmkeyprotect" 2047162 - ReclaimSpaceJob failing, fstrim is executed on a non-existing mountpoint/directory 2047201 - Add HPCS secret name to Ceph and NooBaa CR 2047562 - CSI Sidecar containers do not start 2047565 - PVC snapshot creation is not successful 2047625 - Dockerfile changes for topolvm 2047632 - mcg-operator failed to install on 4.10.0-126 2047642 - Replace alpine/openssl image in the downstream build 2048107 - vgmanager cannot list block devices on the node 2048370 - CSI-Addons controller makes node reclaimspace request even when the PVC is not mounted to any pod. 2048458 - python exporter script 'ceph-external-cluster-details-exporter.py' error cap mon does not match on ODF 4.10 2049029 - MCG admission control webhooks don't work 2049075 - openshift-storage namespace is stuck in terminating state during uninstall due to remaining csi-addons resources 2049081 - ReclaimSpaceJob is failing for RBD RWX PVC 2049424 - ODF Provider/Consumer mode - backport for missing content 2049509 - ocs operator stuck on CrashLoopBackOff while installing with KMS 2049718 - provider/consumer Mode: rook-ceph-csi-config configmap needs to be updated with the relevant subvolumegroup information 2049727 - [DR] Mirror Peer stuck in ExchangingSecret State 2049771 - We can see 2 ODF Multicluster Orchestrator operators in operator hub page 2049790 - Add error handling for GetCurrentStorageClusterRef 2050056 - [GSS][KMS] Tenant configmap does not override vault namespace 2050142 - [DR] MCO operator is setting s3region as empty inside s3storeprofiles 2050402 - Ramen doesn't generate correct VRG spec in sync mode 2050483 - [DR]post creating MirrorPeer, the ramen config map had invalid values 2051249 - [GSS]noobaa-db-pg-0 Pod stuck CrashLoopBackOff state 2051406 - Need commit hash in package json and logs 2051599 - Use AAD while unwrapping the KEY from HPCS/Key Protect KMS 2051913 - [KMS] Skip SC creation for vault SA based kms encryption 2052027 - cephfs: rados omap leak after deletesnapshot 2052438 - [KMS] Storagecluster is in progressing state due to failed RGW deployment when using cluster wide encryption with kubernetes auth method 2052937 - [KMS] Auto-detection of KV version fails when using Vault namespaces 2052996 - ODF deployment fails using RHCS in external mode due to cephobjectstoreuser 2053156 - Avoid worldwide permission mode setting at time of nodestage of CephFS share 2053517 - [DR] Applications are not getting DR protected 2054147 - Provider/Consumer: Provider API server crashloopbackoff 2054755 - Update storagecluster API in the odf-operator 2061251 - [GSS]Object Upload failed with Unhandled exception when not using parameter "UseChunkEncoding = false" in s3 client in ODF 4.9 5. References: https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlf0YdzjgjWX9erEAQiBfQ/9GAtNJ4oagyNDaHfbMaeGA/GCeiBiweH9 E3FYVd8Vedz6uxuL02Vm0yY6jlr7QWJADRExIEcRLZ63ctR4hdwzCs2EIWICEuSv 2Wl4MtVXTOe8b95UTNL8frkvTNoijGqAIN7NMpMenPeSJBM38Lwt/gAoYt4//CpK afZmyfFTkGkoEGZ3hKvZpX2rQ/5zr1kAMErPZW71wctVcNAnv85DnThQQ+qy2UzI xyBwU3gGUtTLzy7TRgauMbu8/y6JvRCsuoaeBUU4bLJIOL5ES851OpDP+nzGvx+H M2yXB6ATHJ4YdqBM4wBCzXxApQD+FKFSCZoZMKpr1d1dZXPO0L0CUNFrNFHubLkk xBLqFpHAEB89R+jZcrum1dBGEVB+Q2vqCRe6Udbjlyy20dS06jhBU8Zf2lt2Vo4u Nfwpyb7rByXYXf0Bc+TYhXW6oIJSufvGWQp5pBkmlgi5YeV4VnHCEf4GuLbaPwFL /009HbW6E1D+DTAbqUodpywOUEXeGZnNkSZH6xHazvNw4bXlCv+FlaMiKlrWIWMm CZc98Enap/x84e0Py1gXNaReZedBBqi79US/zjKF9zr5r+yeat7zPAUduV69JMOh vs5mXlCNc2JObCxEfYAGsI0LVOQQdaceIkUpUC9Ejq1Ei3ehhan6UxkFk5TJHOrF TdB2/S/YEtk= =2Ut5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5EYONLKJtyKPYoAQgZMxAAqdWwBJkrXocFuY36G8/wb+7idLhdg2ea RToq3fUbOoiDpsSEL0pCo+vkjnF2FyGkZs1Ouw7TBD4QdmPwua9l7Ob4nyAMWw3j XETr/0S8uxTad81zhvel1YMWOG4BIKs/EqTpLmlOEVst0kKuxWmRzq2DmO10ufTO dHclxMU/BVhpCkNOks3OIZoy1+8wSebHMpuNQVDIHwOyurDHq2K28AUjN3cQkXDY Wl8yWuVInAQ4ItHSZ6mK1hwhTPlJfmEO8jqqgdgYHenCU/QYvsvIRzkdAWygAwES QX6Rm0bqNRDlpj0SHIbZCkS5PChL5vs8u52ZshM6xI9bMSN7016LWS8kMIYkq5Ga fIOPA5vwBL7XRreKgz59TBlCXCO/jGmHEFF4JrXoxb2wvOTwM00tSC5SMmuzjeQq iEPLM7JIujpNZ4a+C+W4EeMyC3Zm/k6Dds6iC08lZn63b+FoLty5i5fxonQ/Nxiw uUNm7jDSOGomiGlMY9tFQUQKaBdXWw5kBMyeQYN8HlCHYiCP/YTZwfk6v3EHHsns 5bSdzcmJi6eAKjqhQTJd6ctX/wJZGxD5KrcY+Yiz57gs3SA5e/fF+gYC9yC1Tygt Smu2FcJLGnLAoM/SSDZCI/Bfs9XpeR9SWd9GqTiBd0EasR6dAf4xCgc+Dom0r8bs +5f5iTAvTqk= =CZ9J -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1672 - [Debian] xz-utils: CVSS (Max): 7.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1672 xz-utils security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xz-utils Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-1271 Original Bulletin: http://www.debian.org/security/2022/dsa-5123 Comment: CVSS (Max): 7.1 CVE-2022-1271 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5123-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : xz-utils CVE ID : CVE-2022-1271 Debian Bug : 1009167 cleemy desu wayo reported that incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed. For the oldstable distribution (buster), this problem has been fixed in version 5.2.4-1+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 5.2.5-2.1~deb11u1. We recommend that you upgrade your xz-utils packages. For the detailed security status of xz-utils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xz-utils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJdvZFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QyGA//fxac3GDLmcVJ+PhY069vHhJS+nzMXTI2HfthlEa5mlnM4C6Ld71dYyPA GJt6Z4FHr5eeOfURM2A36DVdeUjX/iJ5OQiwpCfYy7ZhqLQzv4fAzIt0YjWDM2Bf Jnn0fA9tdiAO2JWNVQtAHPT9XM5AtFd1/fJrfDp9bmYGEPi2YPMTRd+tuvPw3IFE YYuqduVWvHGvzgjFrNzL61YK0/irC4+ILpOQaAF8gsZY8Lq8We8/FQlmuweO7qlh 73IXKbunXDSv9NmVNYhQpuoBnLjrRWFRh24bjgRVmBzLb1K3/c5QmD8Od/iZbA8a 8i0XqhwBMTmlCmj3ItbicL06NSzlgJfSAMrDRGEfvWEQuN4J/pzHQYSU+xVz1Rw5 jCofjGUry+my2GynzPpiqQxOzojIxMy4qTQBFSarbMLWxeeGT9XYnvel9efHoPEC GD8e5pcIX6fuacxHbn+GMquA3p+iRNNvriyhRISHsKT6vwmr4f7qan6beo7g71Yv 3DI6JS2NEPGhtNk3dZe6T6wslpZ8U241bUqznqxEXi7zt89Z7iiwfjYCzh0c41g2 jyA57EpnuV7Ugna5xvPv7oQE3Vw9PVvc++o2jUp6K74p7wwwqSlgveRpqxLR+CYl 1Jc+Ohy9oL88mj0W7x/SCp0zOCI2N+meTVVoJv8Cb9GupT2nAvE= =k53J - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5D5eNLKJtyKPYoAQhoYg//e1BTkZjkbUzk3UY56vXtqK58aLmMkz25 pjt2lYwW+25i6B9r/vYLEEQvL1Xf3wXc4f7yb3toTb4ORUIxh6V11DlzNIism7FV bjIgNYZC+Bhngr1Wie5R9fHmwrnvQGSaHZNS0tdyOqscrkHeKIy7pHJQBd9KscHg deiZzJ0EN9lpJrN2ZRYQwzVtfYkhnq7M1jhbLEMBY2ELkPCuCJnDIGIiQ1E0uci3 43rlBP3+pQ3qYydnECrAD2sfQFbMj33eztSQZc9P2bAA3GMVVi1u7af/KZTsgj3V 7SheOujWGF8Krrw8ok7AjxkdQGohAoOe2NrN1XhE36FmqXXXL/Bg2/cosnL/OQfr u0Usaq0Z1A8vDXWKhKPN64oVx1tCIOzWCSbyewz24AklIrs61S094Gx4WBFBnoDn vYNRiIUbzqWVKeuc/siA39pTwyE0z6U+okRKCMG28ttMPNm2aTjAaQqC+3pT72f/ fJBEZa82t7og/EBIbAikbry911UkucmUGG9Z3WGxvaTE3DKqrcsS3qfRakAYSSFm bWCyynsUGQNcilxbCAdicMbB3yCl+srX0huqk0gqfZnTjBm0FJoQw+tgyJRmExlf 5E93x+OFl+P4+jSekobJndY1Wt56ocngq2DwjVHl/uQlq7hdm6RcVaOO0ApcHvZe BnVEOn5FFKM= =ptJL -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1671 - [Debian] gzip: CVSS (Max): 7.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1671 gzip security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gzip Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-1271 Original Bulletin: http://www.debian.org/security/2022/dsa-5122 Comment: CVSS (Max): 7.1 CVE-2022-1271 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5122-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gzip CVE ID : CVE-2022-1271 Debian Bug : 1009168 cleemy desu wayo reported that incorrect handling of filenames by zgrep in gzip, the GNU compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed. For the oldstable distribution (buster), this problem has been fixed in version 1.9-3+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 1.10-4+deb11u1. We recommend that you upgrade your gzip packages. For the detailed security status of gzip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gzip Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJdvF5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RmRhAAlE52MxX2w/uR6jW070vlG4UkdFbBXh7OIhJrLTelUceZlC+BYxOd7aaM /mzKlAB3QavBZxZM0Tczr/n9evZ3JUZUwmLMtR1p6zcYU+Ztw9Dd8DruKd2z2h+H eCRyAW+4/mLEut8FnDvmFyDWQVfu1XcqQIwTmmJe+JbeNM1cHAaVY2jq8AsO5FHH F/NGgscLdJ+uB54FCDd5TdXQvgdjrgG/8kDgd2bjWtbcIAnv+WDtHksSAQRnFxRX bwYBzFMojQTGAolmRE79rbXXCLEJuMAoClYZ9EY4mw5fssKfJgsS9oNyNRZ4rhqf YodxfX1//X3MRx/qAroCUsVHEx3UFYSLal4bt949oixb/alhfUtfeErv215wdGVz Wjp+krIPGadN/vr63SxDBE3i+N2FwbG7ZAHEJ8hSLJed17mH82yhXfSggadrAtiP USXL0G6hXbcjc/AGLLodOk1jaRKcnWjf/qbqW7onYplWi+quxpQYXx9D6bvbyDtp CXPrey+nAmx9FQpzbxrl9xr0H3yakACK5MtpcYIN4BD8X0KOdqolBAjzI1rYbOqJ 9rjfLplAwCU3QtDUEg7RiKmSJvZfGb5fkl8RRMXSLQKBT93G0/MYeX6DgrL37Sf4 Wtw7TKjWzpW5fNpqqv3sbOHz01PddEVsfAdhXtZibL/yrAf7zJI= =cKoF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5DyuNLKJtyKPYoAQjcGA/+LakF1U7GitfxqyP+F9iMrBn1aGbxQ62I PmLzVvTXeIQxMUpAGnPHZ2Xuw9cyqVWlNta7dTjZHWg3guhid6PIanqC1QeNUeU9 jGBzVIEMK0hJ06gWkLxwgYsQzTtLyd4FLXqO1EFDi6FJUt0FSh2WmV0HMBOymgFE 2KGmUPVjPOMqRvDmUI3OWmfApjW/QfZGG8pOIivg+IE1+EuJpvJ3yr3eLJMrzX0f zR64UbwX+RpVykKudrxS5X4exNf8Cnmgc+BY72e4/cvdiZ0L85EJmQCMTF0vLH1Y rCU5EPcIfP9SZygZXhA70UUwkECi/zh7/C/Jk7eLYDT1z/Rq9Y7MEBxTF8O/SLc2 6rkoGVqppZtrCASNiQeT96NrI26nDNm/y1EVEXK0FeOb75xoScp432mrdOgajbsH JpJwrZ+a4OcZCkQkLCd1XvgHjO6g6Og8NMwZEQsTfIm9Xigg8vDPQSma7IrocI8I dNKQDOM4XJnORHzz/kCNHxqWExHiYyNGRP8JdVnPTb4eg8nVzap2xxSZ0jGsgTZH 1p/QQYG4Zxkdy3RIDz9CHVmTYA//CTKtj9LMtSQKbdQwndtY2ZhuWb/3O6EmkK/D HJLTXzCkLjCjjV9XUGdcJ12ra1THr2grAD9kNDGOPw0PSItHMstNjV39+DTqNNEe WylMvtjBgow= =vtyw -----END PGP SIGNATURE-----
2022. április 19.

ESB-2022.1670 - [Debian] chromium: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1670 chromium security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: chromium Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-1364 Original Bulletin: http://www.debian.org/security/2022/dsa-5121 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5121-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2022-1364 A security issue was discovered in Chromium, which could result in the execution of arbitrary code. For the stable distribution (bullseye), this problem has been fixed in version 100.0.4896.127-1~deb11u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJbCq0ACgkQEMKTtsN8 Tjaluw/9F+ewXyA7cdv5IC4OcVtTZL/pvxkAMvSvpc1qMyx42efS0/oM2luE9V3x uaA33nSHZUgQ9MpwADaTNz9+2A/pGS8sYh2oCY9gt+AcV6olSRIpIhiD8MXtN4Fb ecNQmXbMtkp/001mbuIkuFYmwaylvnoUvoB1fQswjWwItddHy/BQFemUvk48bW+T E98mhxzd+WA73xGo2SdhkixxAPqNIf1jZidt4xzmkCWTo/o3g2TIjONBqx9hLF+I 1CNX89wx2scdHdfhsIxzWMchYisQWwhe/EqsK0i4K5fs95zp0LJkiogegNkSIIN0 j2sZ8sKsRwEqUtDXpg2mQBSZ/Yic6grEANBJDhgPxoE5m+WA4AsiYpx2ZjewamRa ZIgxfec2fpfaEsUXVJyXDMFFPBHw/21yGgiF76g37/D2xKu6kO6TM1KkMdhp8Pck IFWgha4AjapgMFM8DFh0XielM9y3BcgvMUKcwl/LMF5oXx25lDFC1ek7yZM/DiyR rGc6kN3GFSGXrsok+HyRKlD5+skEYVQuM4Ryup9YpKVcO7gsoQH9csnV3Aodwa6j t4CYVyOrU3KVqUd4lkYrJ663EuTJV+pm4PmVfwxSUY3Ape9FP/7aKtCJPOqQy4EL 4vNPuxQ+IppPiBzJK0IvhoQYCX2D7f55kuzD4JT/UAvTEoxYOPQ= =S9Zv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl5DuONLKJtyKPYoAQgDLQ/+JJksd1lm+f1fa9amir2AnYoqrT4qYMZ/ 4iqTt7sEwAXyALCrUFfhfavcE5Bboh7IvSOqwWN8hqKJtXvo9wSlqFnFx0vH5Hle dPWl3Ri7SBhX0le0D5m5SvyhHdBmoCVTUJoC7I6ApjoNYAXQq9zllo7AnBvAJIGk 7UohY0jVuScnTzVLfgphdo8U+vmpyNyBf/B3UD0x8vtU8lZOHrHOWlcmU1DP/Lpl Jk4cmgA8whvjiZQA3nw3gthsDgf/oF13SdeDNnsMj/lSLXcpwBVHSX30QGWSrkCB /tguzn756ThUHDir3b+jkBfTtiGToDLQo8Y6VtI6s5FE7zO4VtFMUanndqWvJVk+ jE+MeVWIw8/abeAwJCoNxmDkQzVTpAxXzSnQ8M1Efr41px4YjapSLA0LL/9uoYdp quKJ7Rle63ygvWpP6o4Ye5oPvfbz3KOA+YAE/JcwOzgm+Nup3lnHPbhuUFOXYL5l q9Hxn2fUJj/kvUFTX/ZZ7GbGXclngOQqGkHLpgw+kII7Sx51l3suBJnVKYx7svCj flchAsfI99v0BwHeOsyeilXzQfo/rcGpaI20bkruI4O7pMRmEFrt11KHYTbuOBxU wzqrfhfPjp8JhQ1VgAvUHc+vaMSvDbOUS0UxmQbbjY9Jb9Lcs3yOxxjALA8VAJf6 2TbyKVjC2/8= =qPb0 -----END PGP SIGNATURE-----