VARIoT IoT vulnerabilities database

Dell EMC iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the virtual console. DELL Dell EMC iDRAC9 is a set of system management solutions including hardware and software from Dell (DELL). This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems

HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information disclosure. HCL Technologies Limited of Domino server Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter. Knowage Suite Is vulnerable to injection.Information may be obtained and information may be tampered with

Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter

Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter

Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter

In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages. JetBrains TeamCity Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TeamCity is a Java-based build management and continuous integration server launched by JetBrains. No detailed vulnerability details are currently provided

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. ========================================================================== Ubuntu Security Notice USN-4997-2 June 25, 2021 linux-kvm vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-kvm: Linux kernel for cloud environments Details: USN-4997-1 fixed vulnerabilities in the Linux kernel for Ubuntu 21.04. This update provides the corresponding updates for the Linux KVM kernel for Ubuntu 21.04. Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute arbitrary code. (CVE-2021-3609) Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits for pointer operations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33200) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did not properly clear received fragments from memory in some situations. A physically proximate attacker could possibly use this issue to inject packets or expose sensitive information. (CVE-2020-24586) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled encrypted fragments. A physically proximate attacker could possibly use this issue to decrypt fragments. (CVE-2020-24587) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled certain malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate attacker could use this issue to inject packets. (CVE-2020-24588) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled EAPOL frames from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a denial of service (system crash). (CVE-2020-26139) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did not properly verify certain fragmented frames. (CVE-2020-26141) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation accepted plaintext fragments in certain situations. (CVE-2020-26145) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation could reassemble mixed encrypted and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets or exfiltrate selected fragments. (CVE-2020-26147) Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-23133) Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-23134) Manfred Paul discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel contained an out-of-bounds vulnerability. A local attacker could use this issue to execute arbitrary code. (CVE-2021-31440) Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent speculative loads in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2021-31829) It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399) It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33034) It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506) Mathias Krause discovered that a null pointer dereference existed in the Nitro Enclaves kernel driver of the Linux kernel. A local attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3543) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: linux-image-5.11.0-1009-kvm 5.11.0-1009.9 linux-image-kvm 5.11.0.1009.9 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-4997-2 https://ubuntu.com/security/notices/USN-4997-1 CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26141, CVE-2020-26145, CVE-2020-26147, CVE-2021-23133, CVE-2021-23134, CVE-2021-31440, CVE-2021-31829, CVE-2021-32399, CVE-2021-33034, CVE-2021-33200, CVE-2021-3506, CVE-2021-3543, CVE-2021-3609 Package Information: https://launchpad.net/ubuntu/+source/linux-kvm/5.11.0-1009.9 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Openshift Logging 5.3.0 bug fix and security update Advisory ID: RHSA-2021:4627-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:4627 Issue date: 2021-11-15 CVE Names: CVE-2018-20673 CVE-2018-25009 CVE-2018-25010 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-14615 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-0427 CVE-2020-10001 CVE-2020-12762 CVE-2020-13435 CVE-2020-14145 CVE-2020-14155 CVE-2020-16135 CVE-2020-17541 CVE-2020-24370 CVE-2020-24502 CVE-2020-24503 CVE-2020-24504 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26141 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147 CVE-2020-27777 CVE-2020-29368 CVE-2020-29660 CVE-2020-35448 CVE-2020-35521 CVE-2020-35522 CVE-2020-35523 CVE-2020-35524 CVE-2020-36158 CVE-2020-36312 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 CVE-2020-36386 CVE-2021-0129 CVE-2021-3200 CVE-2021-3348 CVE-2021-3426 CVE-2021-3445 CVE-2021-3481 CVE-2021-3487 CVE-2021-3489 CVE-2021-3564 CVE-2021-3572 CVE-2021-3573 CVE-2021-3580 CVE-2021-3600 CVE-2021-3635 CVE-2021-3659 CVE-2021-3679 CVE-2021-3732 CVE-2021-3778 CVE-2021-3796 CVE-2021-3800 CVE-2021-20194 CVE-2021-20197 CVE-2021-20231 CVE-2021-20232 CVE-2021-20239 CVE-2021-20266 CVE-2021-20284 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-23133 CVE-2021-23840 CVE-2021-23841 CVE-2021-27645 CVE-2021-28153 CVE-2021-28950 CVE-2021-28971 CVE-2021-29155 CVE-2021-29646 CVE-2021-29650 CVE-2021-31440 CVE-2021-31535 CVE-2021-31829 CVE-2021-31916 CVE-2021-33033 CVE-2021-33194 CVE-2021-33200 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-42574 ===================================================================== 1. Summary: An update is now available for OpenShift Logging 5.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Openshift Logging Bug Fix Release (5.3.0) Security Fix(es): * golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1168 - Disable hostname verification in syslog TLS settings LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd LOG-1375 - ssl_ca_cert should be optional LOG-1378 - CLO should support sasl_plaintext(Password over http) LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate LOG-1494 - Syslog output is serializing json incorrectly LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing LOG-1735 - Regression introducing flush_at_shutdown LOG-1774 - The collector logs should be excluded in fluent.conf LOG-1776 - fluentd total_limit_size sets value beyond available space LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL LOG-1903 - Fix the Display of ClusterLogging type in OLM LOG-1911 - CLF API changes to Opt-in to multiline error detection LOG-1918 - Alert `FluentdNodeDown` always firing LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZJxoNzjgjWX9erEAQji2Q//bv8hVZq0D8Dz0Do5vdoPzpjDhM6wJr7U 3CqAqcxniXvHVbBiPHPsY3p3M62FSO5lg4oZnVfokEtrZmLe9ULZWLlNxVilAUCT 0urKKWCAIXF+QJcW9/KCuIfaMh8Mmvh2baq52azauCHCJ3UK9ontiGWqyUz/aq9F TM4P/eehnUU1WXAz9x4ycHP7fHZBuADkI8WOUZ5M/QpcoEvo7rLFdyat5MpMkeJx j7gGieb2ITvblxEML3LRdPljQxe56w7p2jC/EoXJnssjABozlWB936Ub/QSulGuz +HQS+RnAGxRRpNcs1wNQzpIkCFJN2S0jlEj5VLB8xLbZTYtILWhIx4rlwaFy6NJn /z7hpEfSAgmhPTejshI/2Gfu/sc+KStEJk2IasWO1wqQWRqYGVeLwgHxBt2wpX+I XJUjhkAdhAWyDfEhPXzpbN4dhmDk0QiGfL3KWZ8nO54IFQgZHT1P1YArnI1hMWC7 JhTyj1DtFOKJl8X28wf6RNui+ifD12hmIAuQRuJTPjZbTnywwpMy+Sq9mrfeHztb gPt2AqOPF5ksNB6OsjVKlMScLlLJzzlkBVgmurXaly0z2qLjy0Rl70oWeMOW4xUD 4Ravk3PLEMqSIHv0ECr4ku5ejMV1Rd46USrgVX2R0CALXIxPkk1IEN8hHmzIGz2D HHJuAvrlroc= =di1X -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly. TeamCity is a Java-based build management and continuous integration server launched by JetBrains. JetBrains TeamCity versions prior to 2020.2.2 have a bug in the permission check implementation of plug-in changes. No detailed vulnerability details are currently provided

Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description ================== RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities ========================== These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities. 1. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: --- signal=11 -------------------------------------------- 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88 esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83 This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability. 2. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: /nova/bin/diskd 2020.06.05-15:00:38.33@0: --- signal=11 -------------------------------------------- 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8 esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 This vulnerability was initially found in stable 6.47, and it was fixed at least in stable 6.48.1. 3. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.62@0: /nova/bin/log 2020.06.22-20:13:36.62@0: --- signal=11 -------------------------------------------- 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202 2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858 esp=0x7fec6818 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: maps: 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: code: 0x77709d2e 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. 4. By sending a crafted packet, an authenticated remote user can crash the mactel process due to NULL pointer dereference. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: /nova/bin/mactel 2020.06.22-20:25:36.17@0: --- signal=11 -------------------------------------------- 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202 2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8 esp=0x7fe78090 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: maps: 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: code: 0x804ddc7 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4 This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. Solution ======== As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree version. For others, no upgrade firmware available yet References ========== [1] https://mikrotik.com/download/changelogs/stable-release-tree

Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless process. An authenticated remote attacker can cause a Denial of Service due via a crafted packet. Mikrotik RouterOs Exists in a reachable assertion vulnerability.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. Mikrotik RouterOs prior to version 6.47 has a security vulnerability

Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/resolver process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access. Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. Mikrotik RouterOs prior to version 6.47 has a security vulnerability

The USG5100 series is a gigabit unified security gateway for large and medium-sized enterprises launched by Huawei Technologies Co., Ltd. HUAWEI USG5100 has a weak password vulnerability. Attackers can use this vulnerability to obtain sensitive information.

In JetBrains TeamCity before 2020.2.2, stored XSS on a tests page was possible. JetBrains TeamCity Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TeamCity is a Java-based build management and continuous integration server launched by JetBrains. No detailed vulnerability details are currently provided

SRG1210-s is a router of Huawei Technologies Co., Ltd. Huawei Technologies Co., Ltd. SRG1210-s has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). Mikrotik RouterOs Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality. MikroTik RouterOS has a security vulnerability. Advisory: four vulnerabilities found in MikroTik's RouterOS Details ======= Product: MikroTik's RouterOS Vendor URL: https://mikrotik.com/ Vendor Status: only CVE-2020-20227 is fixed CVE: CVE-2020-20220, CVE-2020-20227, CVE-2020-20245, CVE-2020-20246 Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team Product Description ================== RouterOS is the operating system used on the MikroTik's devices, such as switch, router and access point. Description of vulnerabilities ========================== These vulnerabilities were reported to the vendor almost one year ago. And the vendor confirmed these vulnerabilities. 1. By sending a crafted packet, an authenticated remote user can crash the bfd process due to invalid memory access. Against stable 6.46.5, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: --- signal=11 -------------------------------------------- 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: eip=0x0804b175 eflags=0x00010202 2020.06.19-18:36:13.88@0: edi=0x08054a90 esi=0x08054298 ebp=0x7f9d3e88 esp=0x7f9d3e70 2020.06.19-18:36:13.88@0: eax=0x08050634 ebx=0x77777af0 ecx=0x08051274 edx=0x00000001 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: maps: 2020.06.19-18:36:13.88@0: 08048000-08050000 r-xp 00000000 00:1b 16 /ram/pckg/routing/nova/bin/bfd 2020.06.19-18:36:13.88@0: 7759a000-7759c000 r-xp 00000000 00:0c 959 /lib/libdl-0.9.33.2.so 2020.06.19-18:36:13.88@0: 7759e000-775d3000 r-xp 00000000 00:0c 964 /lib/libuClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 775d7000-775f1000 r-xp 00000000 00:0c 960 /lib/libgcc_s.so.1 2020.06.19-18:36:13.88@0: 775f2000-77601000 r-xp 00000000 00:0c 944 /lib/libuc++.so 2020.06.19-18:36:13.88@0: 77602000-7775f000 r-xp 00000000 00:0c 954 /lib/libcrypto.so.1.0.0 2020.06.19-18:36:13.88@0: 7776f000-77777000 r-xp 00000000 00:0c 950 /lib/libubox.so 2020.06.19-18:36:13.88@0: 77778000-777c4000 r-xp 00000000 00:0c 946 /lib/libumsg.so 2020.06.19-18:36:13.88@0: 777ca000-777d1000 r-xp 00000000 00:0c 958 /lib/ld-uClibc-0.9.33.2.so 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: stack: 0x7f9d4000 - 0x7f9d3e70 2020.06.19-18:36:13.88@0: 34 06 05 08 d0 e6 04 08 d8 3e 9d 7f 90 4a 05 08 98 42 05 08 d8 3e 9d 7f f8 3e 9d 7f 6d 39 77 77 2020.06.19-18:36:13.88@0: 90 4a 05 08 28 40 9d 7f 05 00 00 00 00 43 05 08 00 00 00 00 28 90 7c 77 01 00 00 00 0c 00 00 00 2020.06.19-18:36:13.88@0: 2020.06.19-18:36:13.88@0: code: 0x804b175 2020.06.19-18:36:13.88@0: ff 05 00 00 00 00 83 c4 10 c9 c3 55 89 e5 53 83 This vulnerability was initially found in long-term 6.44.6, and it seems that the latest stable version 6.48.2 still suffer from this vulnerability. 2. By sending a crafted packet, an authenticated remote user can crash the diskd process due to invalid memory access. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: /nova/bin/diskd 2020.06.05-15:00:38.33@0: --- signal=11 -------------------------------------------- 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: eip=0x7775a1e3 eflags=0x00010202 2020.06.05-15:00:38.33@0: edi=0x7f9dd024 esi=0x0000000a ebp=0x7f9dceb8 esp=0x7f9dceac 2020.06.05-15:00:38.33@0: eax=0x0000000a ebx=0x777624ec ecx=0x08054600 edx=0x08056e18 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: maps: 2020.06.05-15:00:38.33@0: 08048000-08052000 r-xp 00000000 00:0c 1049 /nova/bin/diskd 2020.06.05-15:00:38.33@0: 776ff000-77734000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 77738000-77752000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.05-15:00:38.33@0: 77753000-77762000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.05-15:00:38.33@0: 77763000-7776b000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.05-15:00:38.33@0: 7776c000-777b8000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.05-15:00:38.33@0: 777be000-777c5000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.05-15:00:38.33@0: 2020.06.05-15:00:38.33@0: stack: 0x7f9de000 - 0x7f9dceac 2020.06.05-15:00:38.33@0: f4 8a 7b 77 0a 00 00 00 f4 8a 7b 77 e8 ce 9d 7f 92 be 78 77 f8 45 05 08 0a 00 00 00 18 6e 05 08 2020.06.05-15:00:38.33@0: 18 6e 05 08 e4 ce 9d 7f 24 d0 9d 7f 7c 18 76 77 24 d0 9d 7f 18 69 05 08 40 cf 9d 7f a8 cf 9d 7f 2020.06.05-15:00:38.34@0: 2020.06.05-15:00:38.34@0: code: 0x7775a1e3 2020.06.05-15:00:38.34@0: 8b 00 8b 10 01 c2 83 c2 04 52 83 c0 04 50 ff 75 This vulnerability was initially found in stable 6.47, and it was fixed at least in stable 6.48.1. 3. By sending a crafted packet, an authenticated remote user can crash the log process due to invalid memory access. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.29@0: 2020.06.22-20:13:36.62@0: /nova/bin/log 2020.06.22-20:13:36.62@0: --- signal=11 -------------------------------------------- 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: eip=0x77709d2e eflags=0x00010202 2020.06.22-20:13:36.62@0: edi=0x0000004b esi=0x77718f00 ebp=0x7fec6858 esp=0x7fec6818 2020.06.22-20:13:36.62@0: eax=0x00000031 ebx=0x77717000 ecx=0x777171e8 edx=0x00000006 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: maps: 2020.06.22-20:13:36.62@0: 08048000-08058000 r-xp 00000000 00:0c 1005 /nova/bin/log 2020.06.22-20:13:36.62@0: 776e1000-77716000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 7771a000-77734000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:13:36.62@0: 77735000-77744000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:13:36.62@0: 77745000-77791000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:13:36.62@0: 77797000-7779e000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: stack: 0x7fec7000 - 0x7fec6818 2020.06.22-20:13:36.62@0: 48 68 ec 7f 7b ce 73 77 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 68 68 ec 7f 21 ac 70 77 2020.06.22-20:13:36.62@0: 40 00 00 00 1b fb 70 77 e8 71 71 77 c0 28 06 08 88 68 ec 7f ec 44 74 77 e4 29 06 08 40 69 ec 7f 2020.06.22-20:13:36.62@0: 2020.06.22-20:13:36.62@0: code: 0x77709d2e 2020.06.22-20:13:36.62@0: 8b 48 08 89 4c 96 04 e9 93 05 00 00 81 7d e0 ff This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. 4. Against stable 6.47, the poc resulted in the following crash dump. # cat /rw/logs/backtrace.log 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: /nova/bin/mactel 2020.06.22-20:25:36.17@0: --- signal=11 -------------------------------------------- 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: eip=0x0804ddc7 eflags=0x00010202 2020.06.22-20:25:36.17@0: edi=0x08055740 esi=0x7fe78144 ebp=0x7fe780c8 esp=0x7fe78090 2020.06.22-20:25:36.17@0: eax=0x00000000 ebx=0x776b9b40 ecx=0x0000000b edx=0xffffffff 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: maps: 2020.06.22-20:25:36.17@0: 08048000-08051000 r-xp 00000000 00:0c 1041 /nova/bin/mactel 2020.06.22-20:25:36.17@0: 7762c000-77661000 r-xp 00000000 00:0c 966 /lib/libuClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 77665000-7767f000 r-xp 00000000 00:0c 962 /lib/libgcc_s.so.1 2020.06.22-20:25:36.17@0: 77680000-7768f000 r-xp 00000000 00:0c 945 /lib/libuc++.so 2020.06.22-20:25:36.17@0: 77690000-776ad000 r-xp 00000000 00:0c 948 /lib/libucrypto.so 2020.06.22-20:25:36.17@0: 776ae000-776af000 r-xp 00000000 00:0c 967 /lib/libutil-0.9.33.2.so 2020.06.22-20:25:36.17@0: 776b1000-776b9000 r-xp 00000000 00:0c 951 /lib/libubox.so 2020.06.22-20:25:36.17@0: 776ba000-77706000 r-xp 00000000 00:0c 947 /lib/libumsg.so 2020.06.22-20:25:36.17@0: 7770c000-77713000 r-xp 00000000 00:0c 960 /lib/ld-uClibc-0.9.33.2.so 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: stack: 0x7fe79000 - 0x7fe78090 2020.06.22-20:25:36.17@0: 44 81 e7 7f 01 00 00 00 ff ff ff ff 1f d0 04 08 58 57 05 08 28 b0 70 77 01 00 00 00 00 00 00 00 2020.06.22-20:25:36.17@0: 1c 85 e7 7f 04 1d 05 08 02 db 70 77 40 9b 6b 77 40 57 05 08 44 81 e7 7f f8 80 e7 7f 7c 4a 6b 77 2020.06.22-20:25:36.17@0: 2020.06.22-20:25:36.17@0: code: 0x804ddc7 2020.06.22-20:25:36.17@0: 8b 50 2f 89 55 da 66 8b 40 33 66 89 45 de 83 c4 This vulnerability was initially found in stable 6.46.3, and it seems that the latest stable version 6.48.2 still suffers from this vulnerability. Solution ======== As to CVE-2020-20227, upgrade to the corresponding latest RouterOS tree version. For others, no upgrade firmware available yet References ========== [1] https://mikrotik.com/download/changelogs/stable-release-tree

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2021:4356-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4356 Issue date: 2021-11-09 CVE Names: CVE-2020-0427 CVE-2020-24502 CVE-2020-24503 CVE-2020-24504 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26141 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147 CVE-2020-27777 CVE-2020-29368 CVE-2020-29660 CVE-2020-36158 CVE-2020-36386 CVE-2021-0129 CVE-2021-3348 CVE-2021-3489 CVE-2021-3564 CVE-2021-3573 CVE-2021-3600 CVE-2021-3635 CVE-2021-3659 CVE-2021-3679 CVE-2021-3732 CVE-2021-20194 CVE-2021-20239 CVE-2021-23133 CVE-2021-28950 CVE-2021-28971 CVE-2021-29155 CVE-2021-29646 CVE-2021-29650 CVE-2021-31440 CVE-2021-31829 CVE-2021-31916 CVE-2021-33200 ==================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, x86_64 3. Security Fix(es): * kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427) * kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502) * kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503) * kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504) * kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586) * kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587) * kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588) * kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139) * kernel: accepting plaintext data frames in protected networks (CVE-2020-26140) * kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141) * kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143) * kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144) * kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145) * kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777) * kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a read-after-free (CVE-2020-29660) * kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a long SSID value (CVE-2020-36158) * kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() (CVE-2020-36386) * kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129) * kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348) * kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489) * kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564) * kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573) * kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600) * kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679) * kernel: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732) * kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194) * kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133) * kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950) * kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971) * kernel: protection can be bypassed to leak content of kernel memory (CVE-2021-29155) * kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646) * kernel: lack a full memory barrier may lead to DoS (CVE-2021-29650) * kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440) * kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829) * kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200) * kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146) * kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147) * kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368) * kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635) * kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659) * kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239) * kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916) 4. Solution: For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1509204 - dlm: Add ability to set SO_MARK on DLM sockets 1793880 - Unreliable RTC synchronization (11-minute mode) 1816493 - [RHEL 8.3] Discard request from mkfs.xfs takes too much time on raid10 1900844 - CVE-2020-27777 kernel: powerpc: RTAS calls can be used to compromise kernel integrity 1903244 - CVE-2020-29368 kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check 1906522 - CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free 1912683 - CVE-2021-20194 kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() 1913348 - CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value 1915825 - Allow falling back to genfscon labeling when the FS doesn't support xattrs and there is a fs_use_xattr rule for it 1919893 - CVE-2020-0427 kernel: out-of-bounds reads in pinctrl subsystem. 1921958 - CVE-2021-3348 kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c 1923636 - CVE-2021-20239 kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure 1930376 - CVE-2020-24504 kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers 1930379 - CVE-2020-24502 kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers 1930381 - CVE-2020-24503 kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers 1933527 - Files on cifs mount can get mixed contents when underlying file is removed but inode number is reused, when mounted with 'serverino' and 'cache=strict ' 1939341 - CNB: net: add inline function skb_csum_is_sctp 1941762 - CVE-2021-28950 kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode 1941784 - CVE-2021-28971 kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c 1945345 - CVE-2021-29646 kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c 1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS 1946965 - CVE-2021-31916 kernel: out of bounds array access in drivers/md/dm-ioctl.c 1948772 - CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del 1951595 - CVE-2021-29155 kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory 1953847 - [ethtool] The `NLM_F_MULTI` should be used for `NLM_F_DUMP` 1954588 - RHEL kernel 8.2 and higher are affected by data corruption bug in raid1 arrays using bitmaps. 1957788 - CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory 1959559 - CVE-2021-3489 kernel: Linux kernel eBPF RINGBUF map oversized allocation 1959642 - CVE-2020-24586 kernel: Fragmentation cache not cleared on reconnection 1959654 - CVE-2020-24587 kernel: Reassembling fragments encrypted under different keys 1959657 - CVE-2020-24588 kernel: wifi frame payload being parsed incorrectly as an L2 frame 1959663 - CVE-2020-26139 kernel: Forwarding EAPOL from unauthenticated wifi client 1960490 - CVE-2020-26140 kernel: accepting plaintext data frames in protected networks 1960492 - CVE-2020-26141 kernel: not verifying TKIP MIC of fragmented frames 1960496 - CVE-2020-26143 kernel: accepting fragmented plaintext frames in protected networks 1960498 - CVE-2020-26144 kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header 1960500 - CVE-2020-26145 kernel: accepting plaintext broadcast fragments as full frames 1960502 - CVE-2020-26146 kernel: reassembling encrypted fragments with non-consecutive packet numbers 1960504 - CVE-2020-26147 kernel: reassembling mixed encrypted/plaintext fragments 1960708 - please add CAP_CHECKPOINT_RESTORE to capability.h 1964028 - CVE-2021-31440 kernel: local escalation of privileges in handling of eBPF programs 1964139 - CVE-2021-3564 kernel: double free in bluetooth subsystem when the HCI device initialization fails 1965038 - CVE-2021-0129 kernel: Improper access control in BlueZ may allow information disclosure vulnerability. 1965360 - kernel: get_timespec64 does not ignore padding in compat syscalls 1965458 - CVE-2021-33200 kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier 1966578 - CVE-2021-3573 kernel: use-after-free in function hci_sock_bound_ioctl() 1969489 - CVE-2020-36386 kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c 1971101 - ceph: potential data corruption in cephfs write_begin codepath 1972278 - libceph: allow addrvecs with a single NONE/blank address 1974627 - [TIPC] kernel BUG at lib/list_debug.c:31! 1975182 - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer [rhel-8.5.0] 1975949 - CVE-2021-3659 kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c 1976679 - blk-mq: fix/improve io scheduler batching dispatch 1976699 - [SCTP]WARNING: CPU: 29 PID: 3165 at mm/page_alloc.c:4579 __alloc_pages_slowpath+0xb74/0xd00 1976946 - CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 1976969 - XFS: followup to XFS sync to upstream v5.10 (re BZ1937116) 1977162 - [XDP] test program warning: libbpf: elf: skipping unrecognized data section(16) .eh_frame 1977422 - Missing backport of IMA boot aggregate calculation in rhel 8.4 kernel 1977537 - RHEL8.5: Update the kernel workqueue code to v5.12 level 1977850 - geneve virtual devices lack the NETIF_F_FRAGLIST feature 1978369 - dm writecache: sync with upstream 5.14 1979070 - Inaccessible NFS server overloads clients (native_queued_spin_lock_slowpath connotation?) 1979680 - Backport openvswitch tracepoints 1981954 - CVE-2021-3600 kernel: eBPF 32-bit source register truncation on div/mod 1986138 - Lockd invalid cast to nlm_lockowner 1989165 - CVE-2021-3679 kernel: DoS in rb_per_cpu_empty() 1989999 - ceph omnibus backport for RHEL-8.5.0 1991976 - block: fix New warning in nvme_setup_discard 1992700 - blk-mq: fix kernel panic when iterating over flush request 1995249 - CVE-2021-3732 kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files 1996854 - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: kernel-4.18.0-348.el8.src.rpm aarch64: bpftool-4.18.0-348.el8.aarch64.rpm bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-4.18.0-348.el8.aarch64.rpm kernel-core-4.18.0-348.el8.aarch64.rpm kernel-cross-headers-4.18.0-348.el8.aarch64.rpm kernel-debug-4.18.0-348.el8.aarch64.rpm kernel-debug-core-4.18.0-348.el8.aarch64.rpm kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-debug-devel-4.18.0-348.el8.aarch64.rpm kernel-debug-modules-4.18.0-348.el8.aarch64.rpm kernel-debug-modules-extra-4.18.0-348.el8.aarch64.rpm kernel-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm kernel-devel-4.18.0-348.el8.aarch64.rpm kernel-headers-4.18.0-348.el8.aarch64.rpm kernel-modules-4.18.0-348.el8.aarch64.rpm kernel-modules-extra-4.18.0-348.el8.aarch64.rpm kernel-tools-4.18.0-348.el8.aarch64.rpm kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-tools-libs-4.18.0-348.el8.aarch64.rpm perf-4.18.0-348.el8.aarch64.rpm perf-debuginfo-4.18.0-348.el8.aarch64.rpm python3-perf-4.18.0-348.el8.aarch64.rpm python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm noarch: kernel-abi-stablelists-4.18.0-348.el8.noarch.rpm kernel-doc-4.18.0-348.el8.noarch.rpm ppc64le: bpftool-4.18.0-348.el8.ppc64le.rpm bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-4.18.0-348.el8.ppc64le.rpm kernel-core-4.18.0-348.el8.ppc64le.rpm kernel-cross-headers-4.18.0-348.el8.ppc64le.rpm kernel-debug-4.18.0-348.el8.ppc64le.rpm kernel-debug-core-4.18.0-348.el8.ppc64le.rpm kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-debug-devel-4.18.0-348.el8.ppc64le.rpm kernel-debug-modules-4.18.0-348.el8.ppc64le.rpm kernel-debug-modules-extra-4.18.0-348.el8.ppc64le.rpm kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm kernel-devel-4.18.0-348.el8.ppc64le.rpm kernel-headers-4.18.0-348.el8.ppc64le.rpm kernel-modules-4.18.0-348.el8.ppc64le.rpm kernel-modules-extra-4.18.0-348.el8.ppc64le.rpm kernel-tools-4.18.0-348.el8.ppc64le.rpm kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-tools-libs-4.18.0-348.el8.ppc64le.rpm perf-4.18.0-348.el8.ppc64le.rpm perf-debuginfo-4.18.0-348.el8.ppc64le.rpm python3-perf-4.18.0-348.el8.ppc64le.rpm python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm s390x: bpftool-4.18.0-348.el8.s390x.rpm bpftool-debuginfo-4.18.0-348.el8.s390x.rpm kernel-4.18.0-348.el8.s390x.rpm kernel-core-4.18.0-348.el8.s390x.rpm kernel-cross-headers-4.18.0-348.el8.s390x.rpm kernel-debug-4.18.0-348.el8.s390x.rpm kernel-debug-core-4.18.0-348.el8.s390x.rpm kernel-debug-debuginfo-4.18.0-348.el8.s390x.rpm kernel-debug-devel-4.18.0-348.el8.s390x.rpm kernel-debug-modules-4.18.0-348.el8.s390x.rpm kernel-debug-modules-extra-4.18.0-348.el8.s390x.rpm kernel-debuginfo-4.18.0-348.el8.s390x.rpm kernel-debuginfo-common-s390x-4.18.0-348.el8.s390x.rpm kernel-devel-4.18.0-348.el8.s390x.rpm kernel-headers-4.18.0-348.el8.s390x.rpm kernel-modules-4.18.0-348.el8.s390x.rpm kernel-modules-extra-4.18.0-348.el8.s390x.rpm kernel-tools-4.18.0-348.el8.s390x.rpm kernel-tools-debuginfo-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-core-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-debuginfo-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-devel-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-modules-4.18.0-348.el8.s390x.rpm kernel-zfcpdump-modules-extra-4.18.0-348.el8.s390x.rpm perf-4.18.0-348.el8.s390x.rpm perf-debuginfo-4.18.0-348.el8.s390x.rpm python3-perf-4.18.0-348.el8.s390x.rpm python3-perf-debuginfo-4.18.0-348.el8.s390x.rpm x86_64: bpftool-4.18.0-348.el8.x86_64.rpm bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-4.18.0-348.el8.x86_64.rpm kernel-core-4.18.0-348.el8.x86_64.rpm kernel-cross-headers-4.18.0-348.el8.x86_64.rpm kernel-debug-4.18.0-348.el8.x86_64.rpm kernel-debug-core-4.18.0-348.el8.x86_64.rpm kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-debug-devel-4.18.0-348.el8.x86_64.rpm kernel-debug-modules-4.18.0-348.el8.x86_64.rpm kernel-debug-modules-extra-4.18.0-348.el8.x86_64.rpm kernel-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm kernel-devel-4.18.0-348.el8.x86_64.rpm kernel-headers-4.18.0-348.el8.x86_64.rpm kernel-modules-4.18.0-348.el8.x86_64.rpm kernel-modules-extra-4.18.0-348.el8.x86_64.rpm kernel-tools-4.18.0-348.el8.x86_64.rpm kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-tools-libs-4.18.0-348.el8.x86_64.rpm perf-4.18.0-348.el8.x86_64.rpm perf-debuginfo-4.18.0-348.el8.x86_64.rpm python3-perf-4.18.0-348.el8.x86_64.rpm python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm Red Hat Enterprise Linux CRB (v. 8): aarch64: bpftool-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-debug-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-debuginfo-common-aarch64-4.18.0-348.el8.aarch64.rpm kernel-tools-debuginfo-4.18.0-348.el8.aarch64.rpm kernel-tools-libs-devel-4.18.0-348.el8.aarch64.rpm perf-debuginfo-4.18.0-348.el8.aarch64.rpm python3-perf-debuginfo-4.18.0-348.el8.aarch64.rpm ppc64le: bpftool-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-debug-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-debuginfo-common-ppc64le-4.18.0-348.el8.ppc64le.rpm kernel-tools-debuginfo-4.18.0-348.el8.ppc64le.rpm kernel-tools-libs-devel-4.18.0-348.el8.ppc64le.rpm perf-debuginfo-4.18.0-348.el8.ppc64le.rpm python3-perf-debuginfo-4.18.0-348.el8.ppc64le.rpm x86_64: bpftool-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-debug-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-debuginfo-common-x86_64-4.18.0-348.el8.x86_64.rpm kernel-tools-debuginfo-4.18.0-348.el8.x86_64.rpm kernel-tools-libs-devel-4.18.0-348.el8.x86_64.rpm perf-debuginfo-4.18.0-348.el8.x86_64.rpm python3-perf-debuginfo-4.18.0-348.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrdRdzjgjWX9erEAQhs0w//as9X4T+FCf3TAbcNIStxlOK6fbJoAlST FrgNJnRH3RmT+VxRSLWZcsJQf78kudeJWtMezbGSVREfhCMBCGhKZ7mvVp5P7J8l bobmdaap3hqkPqq66VuKxGuS+6j0rXXgGQH034yzoX+L/lx6KV9qdAnZZO+7kWcy SfX0GkLg0ARDMfsoUKwVmeUeNLhPlJ4ZH2rBdZ4FhjyEAG/5yL9JwU/VNReWHjhW HgarTuSnFR3vLQDKyjMIEEiBPOI162hS2j3Ba/A/1hJ70HOjloJnd0eWYGxSuIfC DRrzlacFNAzBPZsbRFi1plXrHh5LtNoBBWjl+xyb6jRsB8eXgS+WhzUhOXGUv01E lJTwFy5Kz71d+cAhRXgmz5gVgWuoNJw8AEImefWcy4n0EEK55vdFe0Sl7BfZiwpD Jhx97He6OurNnLrYyJJ0+TsU1L33794Ag2AJZnN1PLFUyrKKNlD1ZWtdsJg99klK dQteUTnnUhgDG5Tqulf0wX19BEkLd/O6CRyGueJcV4h4PFpSoWOh5Yy/BlokFzc8 zf14PjuVueIodaIUXtK+70Zmw7tg09Dx5Asyfuk5hWFPYv856nHlDn7PT724CU8v 1cp96h1IjLR6cF17NO2JCcbU0XZEW+aCkGkPcsY8DhBmaZqxUxXObvTD80Mm7EvN +PuV5cms0sE=2UUA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-5343-1 March 22, 2022 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in the Linux kernel. A local attacker could use this to gain administrative privileges. (CVE-2022-0492) It was discovered that the aufs file system in the Linux kernel did not properly restrict mount namespaces, when mounted with the non-default allow_userns option set. A local attacker could use this to gain administrative privileges. (CVE-2016-2853) It was discovered that the aufs file system in the Linux kernel did not properly maintain POSIX ACL xattr data, when mounted with the non-default allow_userns option. A local attacker could possibly use this to gain elevated privileges. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19449) It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel contained a reference counting error. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-25670) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly deallocate memory in certain error situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2020-25671, CVE-2020-25672) Kiyin (尹亮) discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly handle error conditions in some situations, leading to an infinite loop. A local attacker could use this to cause a denial of service. (CVE-2020-25673) Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation incorrectly handled EAPOL frames from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a denial of service (system crash). A physically proximate attacker could possibly use this to pair to a device without knowledge of the pin-code. An authenticated attacker could possibly use this to expose sensitive information. (CVE-2020-26558, CVE-2021-0129) It was discovered that the FUSE user space file system implementation in the Linux kernel did not properly handle bad inodes in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2020-36322) It was discovered that the Infiniband RDMA userspace connection manager implementation in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possible execute arbitrary code. A privileged attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. A privileged attacker could use this to cause a denial of service. (CVE-2021-20317) Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2021-28688) It was discovered that the RPA PCI Hotplug driver implementation in the Linux kernel did not properly handle device name writes via sysfs, leading to a buffer overflow. A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this to cause a denial of service (system crash). (CVE-2021-29650) It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399) It was discovered that the CIPSO implementation in the Linux kernel did not properly perform reference counting in some situations, leading to use- after-free vulnerabilities. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33034) Asaf Modelevsky discovered that the Intel(R) Ethernet ixgbe driver for the Linux kernel did not properly validate large MTU requests from Virtual Function (VF) devices. A local attacker could possibly use this to cause a denial of service. (CVE-2021-33098) Norbert Slusarek discovered that the CAN broadcast manger (bcm) protocol implementation in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2021-34693) 马哲宇 discovered that the IEEE 1394 (Firewire) nosy packet sniffer driver in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506) It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device initialization failure, leading to a double-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3564) It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device detach events, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2021-3573) Murray McAllister discovered that the joystick device interface in the Linux kernel did not properly validate data passed via an ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (CVE-2021-3612) It was discovered that the tracing subsystem in the Linux kernel did not properly keep track of per-cpu ring buffer state. A privileged attacker could use this to cause a denial of service. (CVE-2021-3679) It was discovered that the Virtio console implementation in the Linux kernel did not properly validate input lengths in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2021-38160) It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly compute the access permissions for shadow pages in some situations. A local attacker could use this to cause a denial of service. (CVE-2021-38198) It was discovered that the MAX-3421 host USB device driver in the Linux kernel did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2021-38204) It was discovered that the NFC implementation in the Linux kernel did not properly handle failed connect events leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. A local attacker could possibly use this to expose sensitive information (kernel memory). A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2021-40490) It was discovered that the 6pack network protocol driver in the Linux kernel did not properly perform validation checks. A privileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2021-42008) It was discovered that the ISDN CAPI implementation in the Linux kernel contained a race condition in certain situations that could trigger an array out-of-bounds bug. A privileged local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2021-43389) It was discovered that the Phone Network protocol (PhoNet) implementation in the Linux kernel did not properly perform reference counting in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-45469) Amit Klein discovered that the IPv6 implementation in the Linux kernel could disclose internal state in some situations. An attacker could possibly use this to expose sensitive information. An attacker could use this to expose sensitive information or in conjunction with another kernel vulnerability. (CVE-2018-5995) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: linux-image-4.4.0-1103-kvm 4.4.0-1103.112 linux-image-4.4.0-1138-aws 4.4.0-1138.152 linux-image-4.4.0-222-generic 4.4.0-222.255 linux-image-4.4.0-222-lowlatency 4.4.0-222.255 linux-image-aws 4.4.0.1138.143 linux-image-generic 4.4.0.222.229 linux-image-kvm 4.4.0.1103.101 linux-image-lowlatency 4.4.0.222.229 linux-image-virtual 4.4.0.222.229 Ubuntu 14.04 ESM: linux-image-4.4.0-1102-aws 4.4.0-1102.107 linux-image-4.4.0-222-generic 4.4.0-222.255~14.04.1 linux-image-4.4.0-222-lowlatency 4.4.0-222.255~14.04.1 linux-image-aws 4.4.0.1102.100 linux-image-generic-lts-xenial 4.4.0.222.193 linux-image-lowlatency-lts-xenial 4.4.0.222.193 linux-image-virtual-lts-xenial 4.4.0.222.193 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-5343-1 CVE-2016-2853, CVE-2016-2854, CVE-2018-5995, CVE-2019-19449, CVE-2020-12655, CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2020-26139, CVE-2020-26147, CVE-2020-26555, CVE-2020-26558, CVE-2020-36322, CVE-2020-36385, CVE-2021-0129, CVE-2021-20292, CVE-2021-20317, CVE-2021-23134, CVE-2021-28688, CVE-2021-28972, CVE-2021-29650, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034, CVE-2021-33098, CVE-2021-34693, CVE-2021-3483, CVE-2021-3506, CVE-2021-3564, CVE-2021-3573, CVE-2021-3612, CVE-2021-3679, CVE-2021-38160, CVE-2021-38198, CVE-2021-38204, CVE-2021-38208, CVE-2021-39648, CVE-2021-40490, CVE-2021-42008, CVE-2021-43389, CVE-2021-45095, CVE-2021-45469, CVE-2021-45485, CVE-2022-0492 . Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1168 - Disable hostname verification in syslog TLS settings LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd LOG-1375 - ssl_ca_cert should be optional LOG-1378 - CLO should support sasl_plaintext(Password over http) LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate LOG-1494 - Syslog output is serializing json incorrectly LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing LOG-1735 - Regression introducing flush_at_shutdown LOG-1774 - The collector logs should be excluded in fluent.conf LOG-1776 - fluentd total_limit_size sets value beyond available space LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL LOG-1903 - Fix the Display of ClusterLogging type in OLM LOG-1911 - CLF API changes to Opt-in to multiline error detection LOG-1918 - Alert `FluentdNodeDown` always firing LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding 6

In JetBrains TeamCity before 2020.2.4 on Windows, arbitrary code execution on TeamCity Server was possible. JetBrains TeamCity Contains an unspecified vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. TeamCity is a Java-based build management and continuous integration server launched by JetBrains

In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages. JetBrains TeamCity Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TeamCity is a Java-based build management and continuous integration server launched by JetBrains. No detailed vulnerability details are currently provided

In JetBrains TeamCity before 2020.2.3, argument injection leading to remote code execution was possible. JetBrains TeamCity Is vulnerable to the insertion or modification of arguments.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. TeamCity is a Java-based build management and continuous integration server launched by JetBrains. JetBrains TeamCity version before 2020.2.3 has a parameter injection vulnerability