VARIoT IoT vulnerabilities database

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. An authenticated attacker could exploit this vulnerability to obtain sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2305-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2305 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAkjNzjgjWX9erEAQj9Rw//aAXwJWN2Q/e3KJ6n+bdhBXSWxMI+ro7r 86Elrmw3BY2uTNbkjEorxQfON15ZawMJn0eNprNGA4gxRJ1/OlV+bMXcXsHcxdwt 2ndTxSL9G3xd+B3j6L8N2YQAXzCSzJT2ohbFPntZeMDpd6hILbNO+XDmnPu0uEsh E1Rl1BNsQJGoJ9yrrk9hqae2erlB2nTuDwYcNN6YWANkpWxPnzrJBRt115hBL/Xm Gh9vsxTC98/V+TWn0o0gLDUr0sM21KhD2U8F3byxBQB4Kr4Y0X34U12whwHkG95b m+HKj38OHmwhm+JZV68AsVBbnaa4TM3ilccuAVujxcW10IyXZBsmBFoEnIQ5Y7mm X8Bc5goFlKet/cDqwwUDBvjFfXfC61+2N4gRnWp48b8+vojs+T6JsurrCJbRhXjL gy8adoRwG3zNj+0xh7sHjX7XkIYFwrWMxiFHUaJWMV8pfx6NvGJJTiRR6n1+nKJt scM4MX7RUnLlcmRMbN4HpU4Kg7CLqI3dgiJ1XAgIUyB4Xvsb+Ckp/M8EB9I+GLDP Z4feYJ/cplYpSCcRG0xxHsnqrDFgAI0P/KVy9GQeAaXWWVwQzP5vHr+tauLSaEae q4MCBAMQQ69TX2rSLhnwtH1fpVuBsZibIN3QAikZM///peIXrNcmR4jPBVRPU6p+ ulH8AIb5GRA=sYI9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method DpRTmPrepareReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0015 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3021197 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27628 CVE-2021-27607 - Vendor patch Information: SAP Security NOTE 3021197 ## Affected Components Description The SAP dispatcher service is part of SAP Kernel. Mandatory, it manage, gather and collect the requests from end users then forward them to work process. ## Vulnerability Details CVE-2021-27607 : A NULL pointer dereference exist in `ThSncIn(REQUEST_BUF**, unsigned char)`, where `_Z10DpCaGetPtri` tries to read a part of input controlled by an attacker, then return 0x0 instead of a pointer to normal value if the input is 0xffffffff. If an attacker crafts a valid SAP Dispatcher packet, with valid header, but with a total packet size smaller than normal, the subtraction operation results in a negative value. Also if this negative value is anticipated and put in the same packet at a particular offset, the check operation that compares the two values will pass, and this value is used as size during the next operation. ## Solution SAP has released SAP Note 3021197 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3021197. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/21/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27628 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3021197 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver AS for ABAP (RFC Gateway) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. SAP NetWeaver AS ABAP Business Server is an application server suitable for ABAP (Advanced Business Application Programming) from SAP company in Germany. SAP NetWeaver AS ABAP Business Server has a security vulnerability, which stems from a memory corruption vulnerability in NetWeaver ABAP Server and ABAP Platform. Attackers can use this vulnerability to use multiple vulnerabilities in SAP products. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0018 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020209 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27597 CVE-2021-27633 CVE-2021-27634 - Vendor patch Information: SAP Security NOTE 3020209 ## Affected Components Description The SAP Gateway server is the component that manages the communication between SAP system and the rest of the world. This is a mandatory service for SAP Netweaver system, whitout it any background communication to the system is not possible, make the system useless. The source pointer is calculated partially with attacker controlled inputs. When this `GW_REQ*` pointer’s is used again in `GwSearchConn()`, to get another offset, it leads to unattended behavior or crash. An attacker can craft a malicious RFC packet to reach a particular part of function `ThrtHdlAppc()`, where inputs, after a few modifications, are sent to disp+work with `ThSAPCMSEND()`. Leading it to crash in `ThCPIC()`. In normal workload, RFC requests received by the gwrd are forwarded to a work process type DIA to perform an ABAP task. These requests are stored in `pendingRequests` part in memory. An attacker can craft a valid RFC packet and force the service to store malicious entry in `pendingRequests` aera. Leading the disp+work to crash. ## Solution SAP has released SAP Note 3020209 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020209. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27597 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27633 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27634 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020209 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. SAP NetWeaver AS ABAP Contains an improper authentication vulnerability.Information may be tampered with

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncPSetUnsupported() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage. plural CPU The product contains a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Xen: Multiple vulnerabilities Date: July 12, 2021 Bugs: #760144, #766474, #783456, #795054 ID: 202107-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xen, the worst of which could result in privilege escalation. Background ========== Xen is a bare-metal hypervisor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/xen < 4.15.0-r1 >= 4.14.2-r1 >= 4.15.0-r1 Description =========== Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Xen 4.14.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.14.2-r1" All Xen 4.15.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.15.0-r1" References ========== [ 1 ] CVE-2020-29479 https://nvd.nist.gov/vuln/detail/CVE-2020-29479 [ 2 ] CVE-2020-29486 https://nvd.nist.gov/vuln/detail/CVE-2020-29486 [ 3 ] CVE-2020-29487 https://nvd.nist.gov/vuln/detail/CVE-2020-29487 [ 4 ] CVE-2020-29566 https://nvd.nist.gov/vuln/detail/CVE-2020-29566 [ 5 ] CVE-2020-29567 https://nvd.nist.gov/vuln/detail/CVE-2020-29567 [ 6 ] CVE-2020-29568 https://nvd.nist.gov/vuln/detail/CVE-2020-29568 [ 7 ] CVE-2020-29569 https://nvd.nist.gov/vuln/detail/CVE-2020-29569 [ 8 ] CVE-2020-29570 https://nvd.nist.gov/vuln/detail/CVE-2020-29570 [ 9 ] CVE-2020-29571 https://nvd.nist.gov/vuln/detail/CVE-2020-29571 [ 10 ] CVE-2021-0089 https://nvd.nist.gov/vuln/detail/CVE-2021-0089 [ 11 ] CVE-2021-26313 https://nvd.nist.gov/vuln/detail/CVE-2021-26313 [ 12 ] CVE-2021-28687 https://nvd.nist.gov/vuln/detail/CVE-2021-28687 [ 13 ] CVE-2021-28690 https://nvd.nist.gov/vuln/detail/CVE-2021-28690 [ 14 ] CVE-2021-28691 https://nvd.nist.gov/vuln/detail/CVE-2021-28691 [ 15 ] CVE-2021-28692 https://nvd.nist.gov/vuln/detail/CVE-2021-28692 [ 16 ] CVE-2021-28693 https://nvd.nist.gov/vuln/detail/CVE-2021-28693 [ 17 ] CVE-2021-3308 https://nvd.nist.gov/vuln/detail/CVE-2021-3308 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-30 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (buster), these problems have been fixed in version 4.11.4+107-gef32c7afa2-1. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDJEsUACgkQEMKTtsN8 TjaQhBAAvItimzF6QWWRYY5Ce+wWgee8vCrG0ZgrtTWbxlnT8XHLB97tQdBE/ytZ FXyaaoklSe8gWxA3e4wF3/mf8EcVi4MRXPtB+WL9If0uhjg24pm9hS75lUWNQzP4 wo7mShj/WBmvpz0BsvXMZRiVJm4m6mtbb+oBCCGqRQr70HvkOPn0jw5tGdqPt/1u f0q7mbun4cMmebdN2ZcBnIY0zVsCPvTdTMY5weiB3egBogJhP12XsgxPmv44GUpi rvQIngsOld6eJ3wfOmMacMxZ3a+SyhIjRC5lMfdxp9SOC8b2hsQaBaR9+dYLUtKR ieDyUVfFdXgAMsHA5Gn5PQivNHC0wVqx5nf3HIPvhgjpdGPbvgs+dM4OLkLrFW4r nyrJ70OVwUOBay8HJu1Gw2xyu54NmUCi6DN53SD7AxGrnjiyBfb72OeR4elZz5KT gggGzNfMoqPQPG3mPC7GW1PbJ0D4pxZmfr3jftgVdBvBEvuS4KqngoZqL9ZHj9n5 2sT5EycoQZS/O5JaG3KdZsiay9E7LodNmw5mvGvgeYouW+MpFVdOEzvB7F91ya5U TxY+nj5J1lboyB8CymcxensLet2g7n2IYZNPrH1Sr1EEx9Zg0znVCuOE3QhJI60O JFAnmgSM/XPrIqxtZR+gX8nxqTBPWYDaTtRFZOVhA7hDpVmnAGo= =stfn -----END PGP SIGNATURE-----

SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS for ABAP (Web Survey) Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system. SAP NetWeaver ABAP Server and ABAP Platform Contains an authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

Shenzhen Wangxin Technology Co., Ltd. is a sharing economy cloud computing company focusing on technological innovation. Shenzhen Wangxin Technology Co., Ltd. Wangxin Cloud equipment has an unauthorized access vulnerability. Attackers can use this vulnerability to obtain sensitive information.

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThSncIn() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0015 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3021197 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27628 CVE-2021-27607 - Vendor patch Information: SAP Security NOTE 3021197 ## Affected Components Description The SAP dispatcher service is part of SAP Kernel. Mandatory, it manage, gather and collect the requests from end users then forward them to work process. ## Vulnerability Details CVE-2021-27607 : A NULL pointer dereference exist in `ThSncIn(REQUEST_BUF**, unsigned char)`, where `_Z10DpCaGetPtri` tries to read a part of input controlled by an attacker, then return 0x0 instead of a pointer to normal value if the input is 0xffffffff. If an attacker crafts a valid SAP Dispatcher packet, with valid header, but with a total packet size smaller than normal, the subtraction operation results in a negative value. Also if this negative value is anticipated and put in the same packet at a particular offset, the check operation that compares the two values will pass, and this value is used as size during the next operation. ## Solution SAP has released SAP Note 3021197 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3021197. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/21/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27628 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3021197 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

Domain-bypass transient execution vulnerability in some Intel Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56) and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot: (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31) If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)) We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDXan0ACgkQEMKTtsN8 Tja9aQ//f1dHsEghQsedGnkMCIa2qLi12UFtb4yW7TYV6uwloqbYZMbymvoXYOAB haasn+yCaGUkXuAHxcGvZuN41EkRhdG4LfS5qoZxPMsw84ETjpV2Ohwhuqwf9P20 9pqV1QLjVPCMiCqvHatkzyRNPtRhIh0uCRx5HtIeOEyKTwhVnUJrrljUXCzMDviD 3As0n0yVUPDIcJdaVxp5mxyebf1NyIYMR+7wmzTBOhK6i+rEE4NkKGkcsYBIM1ch AdTQNHv78QZld6ixL8iCUe1NsSugZ2QjbVL1BLW45fJv3f0BIF5uo6LBzbiJlN/6 xWwOdFTfqW1ORyr0k6JQ+yKz3oSE+jfUStwf+zegWOjYes5gGaA/nATzzNwwFfCQ qDqMmnN26qMI3MswP50ESkNs2JTK3955cIJjnscp5DeFArDuCFKh9wcqSZ46/QCE GVRi+F/Dh3JQxv/jP8jfLhCvkBptuendGo9qK5v22QoeCRoHS16dLu7HHP34hRrw k//EgtP35pD9eTNiIsxhmx3qTPD0gbQbcMG/5NTVtpNqsffAxYtqTy8+/4lfPkNn AYtYrrG6tjEHe1gasLkjthB7c0YLzPLdNyZkNIk6XZ2YIhx18N80c7gTBERSJ1Sh 9lmsnX3+5GWM7Fx2NN2vL5xIEo0einMJCyTlNMRDLim2ix1vpZg= =RVf2 -----END PGP SIGNATURE----- . 6 ELS) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2303-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2303 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.6) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.6) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAkptzjgjWX9erEAQjQaxAAiXuFV2AZ5UNVNR29EFFEaHsHDTLaeYNm ibgw81yBpSZopPqtVYoznk9JAYc2YSrgbq0/BxC+rWHRTGPom5lZumlkqc+Nkjon sGx6SXU5q9M/nPutM/p5afTXNaHbZVQojjeP9VIpF1qz94JRcJisrumAW/sS27/v Ie6wqizvXNJZq30FOmgAq3vSXJpvakZYrBZoRvdm3MUx3rqiy/Sn62VtexeJoWJf 7BVF9y24rn2r9BuG6QNKGnYTxuUHAfcTAy5laJZ7EWdpEXcSZG6SV6x40Zdg6TaV 8x6PFSbvb2woGvWfFr5so9I92X1z9MCh4vQ5hmPnoHHREXpDKcDjvmfnStNkKD3F kOvf99Ph7E4Th/NhFwAczspiZEJYbvZ7ZenKQwWd2lGnEzFdPU5g5c3n+WVyN1qZ psD/uZlryQyIUyvRPowGppm/vJfyIiDKr+yUpq3AGscs9ASpnH6120ClaQx3KutT gpUbnKDxAW7UMlg5V4A9y5jJBgW8cZGH4qKc9KeDOj1MOjOhrfClInKhfqqY6YF1 8ulHpTKFyXzFjKBST1PKhCQQ2HhG74GoG147R0yHZw+9T0+o3ovlEQTxD2yVgGua 7LQ/vJotdgvBEaYoWTz6WwphiYQpFbbyQ6E0qplPVJMMmFKhDpNKS+ama5CHnfUF 6I3FlLzt1EU=YG8p -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1. Apache APISIX Dashboard Is vulnerable to improper restriction of excessive authentication attempts.Information may be tampered with. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. APISIX Dashboard has a security vulnerability in version 2.6. Attackers may use this vulnerability to bypass network restrictions

Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage. plural CPU The product contains a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. There are information disclosure vulnerabilities in Intel Processors and AMD CPUs, which originate from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components

SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access

Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Virtualization Host security update [ovirt-4.4.6] Advisory ID: RHSA-2021:2522-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:2522 Issue date: 2021-06-22 CVE Names: CVE-2020-24489 CVE-2021-3501 CVE-2021-3560 CVE-2021-27219 ===================================================================== 1. Summary: An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL 8-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64 Red Hat Virtualization 4 Hypervisor for RHEL 8 - x86_64 3. Description: The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Security Fix(es): * glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219) * kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run (CVE-2021-3501) * polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) * hw: vt-d related privilege escalation (CVE-2020-24489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Previously, systemtap dependencies were not included in the RHV-H channel. Therefore, systemtap could not be installed. In this release, the systemtap dependencies have been included in the channel, resolving the issue. (BZ#1903997) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1903997 - Provide systemtap dependencies within RHV-H channel 1929858 - CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits 1950136 - CVE-2021-3501 kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run 1961710 - CVE-2021-3560 polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync() 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 6. Package List: Red Hat Virtualization 4 Hypervisor for RHEL 8: Source: redhat-virtualization-host-4.4.6-20210615.0.el8_4.src.rpm x86_64: redhat-virtualization-host-image-update-4.4.6-20210615.0.el8_4.x86_64.rpm RHEL 8-based RHEV-H for RHEV 4 (build requirements): Source: redhat-release-virtualization-host-4.4.6-2.el8ev.src.rpm noarch: redhat-virtualization-host-image-update-placeholder-4.4.6-2.el8ev.noarch.rpm x86_64: redhat-release-virtualization-host-4.4.6-2.el8ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2021-3501 https://access.redhat.com/security/cve/CVE-2021-3560 https://access.redhat.com/security/cve/CVE-2021-27219 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYNH6EtzjgjWX9erEAQg8rBAApw3Jn/EPQosAw8RDA053A4aCxO2gHC15 HK1kJ2gSn73kahmvvl3ZAFQW3Wa/OKZRFnbOKZPcJvKeVKnmeHdjmX6V/wNC/bAO i2bc69+GYd+mj3+ngKmTyFFVSsgDWCfFv6lwMl74d0dXYauCfMTiMD/K/06zaQ3b arTdExk9VynIcr19ggOfhGWAe5qX8ZXfPHwRAmDBNZCUjzWm+c+O+gQQiy/wWzMB 6vbtEqKeXfT1XgxjdQO5xfQ4Fvd8ssKXwOjdymCsEoejplVFmO3reBrl+y95P3p9 BCKR6/cWKzhaAXfS8jOlZJvxA0TyxK5+HOP8pGWGfxBixXVbaFR4E/+rnA1E04jp lGXvby0yq1Q3u4/dYKPn7oai1H7b7TOaCKrmTMy3Nwd5mKiT+CqYk2Va0r2+Cy/2 jH6CeaSKJIBFviUalmc7ZbdPR1zfa1LEujaYp8aCez8pNF0Mopf5ThlCwlZdEdxG aTK1VPajNj2i8oveRPgNAzIu7tMh5Cibyo92nkfjhV9ube7WLg4fBKbX/ZfCBS9y osA4oRWUFbJYnHK6Fbr1X3mIYIq0s2y0MO2QZWj8hvzMT+BcQy5byreU4Y6o8ikl hXz6yl7Cu6X7wm32QZNZMWbUwJfksJRBR+dfkhDcGV0/zQpMZpwHDXs06kal9vsY DRQj4fNuEQo= =bDgd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 7.4) - x86_64 3. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6

Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2305-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2305 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAkjNzjgjWX9erEAQj9Rw//aAXwJWN2Q/e3KJ6n+bdhBXSWxMI+ro7r 86Elrmw3BY2uTNbkjEorxQfON15ZawMJn0eNprNGA4gxRJ1/OlV+bMXcXsHcxdwt 2ndTxSL9G3xd+B3j6L8N2YQAXzCSzJT2ohbFPntZeMDpd6hILbNO+XDmnPu0uEsh E1Rl1BNsQJGoJ9yrrk9hqae2erlB2nTuDwYcNN6YWANkpWxPnzrJBRt115hBL/Xm Gh9vsxTC98/V+TWn0o0gLDUr0sM21KhD2U8F3byxBQB4Kr4Y0X34U12whwHkG95b m+HKj38OHmwhm+JZV68AsVBbnaa4TM3ilccuAVujxcW10IyXZBsmBFoEnIQ5Y7mm X8Bc5goFlKet/cDqwwUDBvjFfXfC61+2N4gRnWp48b8+vojs+T6JsurrCJbRhXjL gy8adoRwG3zNj+0xh7sHjX7XkIYFwrWMxiFHUaJWMV8pfx6NvGJJTiRR6n1+nKJt scM4MX7RUnLlcmRMbN4HpU4Kg7CLqI3dgiJ1XAgIUyB4Xvsb+Ckp/M8EB9I+GLDP Z4feYJ/cplYpSCcRG0xxHsnqrDFgAI0P/KVy9GQeAaXWWVwQzP5vHr+tauLSaEae q4MCBAMQQ69TX2rSLhnwtH1fpVuBsZibIN3QAikZM///peIXrNcmR4jPBVRPU6p+ ulH8AIb5GRA=sYI9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-4985-1 June 09, 2021 intel-microcode vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Intel Microcode. This may allow a local user to perform a privilege escalation attack. (CVE-2021-24489) Joseph Nuzman discovered that some Intel processors may not properly apply EIBRS mitigations (originally developed for CVE-2017-5715) and hence may allow unauthorized memory reads via sidechannel attacks. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2020-24511) Travis Downs discovered that some Intel processors did not properly flush cache-lines for trivial-data values. This may allow an unauthorized user to infer the presence of these trivial-data-cache-lines via timing sidechannel attacks. A local attacker could use this to expose sensitive information. (CVE-2020-24512) It was discovered that certain Intel Atom processors could expose memory contents stored in microarchitectural buffers. A local attacker could use this to expose sensitive information. (CVE-2020-24513) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: intel-microcode 3.20210608.0ubuntu0.21.04.1 Ubuntu 20.10: intel-microcode 3.20210608.0ubuntu0.20.10.1 Ubuntu 20.04 LTS: intel-microcode 3.20210608.0ubuntu0.20.04.1 Ubuntu 18.04 LTS: intel-microcode 3.20210608.0ubuntu0.18.04.1 Ubuntu 16.04 ESM: intel-microcode 3.20210608.0ubuntu0.16.04.1+esm1 Ubuntu 14.04 ESM: intel-microcode 3.20210608.0ubuntu0.14.04.1+esm1 After a standard system update you need to reboot your computer to make all the necessary changes