VARIoT IoT vulnerabilities database

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncPSetUnsupported() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1. Apache APISIX Dashboard Is vulnerable to improper restriction of excessive authentication attempts.Information may be tampered with. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. APISIX Dashboard has a security vulnerability in version 2.6. Attackers may use this vulnerability to bypass network restrictions

Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage. plural CPU The product contains a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. There are information disclosure vulnerabilities in Intel Processors and AMD CPUs, which originate from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components

SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. An authenticated attacker could exploit this vulnerability to obtain sensitive information. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56) and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot: (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31) If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)) We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDXan0ACgkQEMKTtsN8 Tja9aQ//f1dHsEghQsedGnkMCIa2qLi12UFtb4yW7TYV6uwloqbYZMbymvoXYOAB haasn+yCaGUkXuAHxcGvZuN41EkRhdG4LfS5qoZxPMsw84ETjpV2Ohwhuqwf9P20 9pqV1QLjVPCMiCqvHatkzyRNPtRhIh0uCRx5HtIeOEyKTwhVnUJrrljUXCzMDviD 3As0n0yVUPDIcJdaVxp5mxyebf1NyIYMR+7wmzTBOhK6i+rEE4NkKGkcsYBIM1ch AdTQNHv78QZld6ixL8iCUe1NsSugZ2QjbVL1BLW45fJv3f0BIF5uo6LBzbiJlN/6 xWwOdFTfqW1ORyr0k6JQ+yKz3oSE+jfUStwf+zegWOjYes5gGaA/nATzzNwwFfCQ qDqMmnN26qMI3MswP50ESkNs2JTK3955cIJjnscp5DeFArDuCFKh9wcqSZ46/QCE GVRi+F/Dh3JQxv/jP8jfLhCvkBptuendGo9qK5v22QoeCRoHS16dLu7HHP34hRrw k//EgtP35pD9eTNiIsxhmx3qTPD0gbQbcMG/5NTVtpNqsffAxYtqTy8+/4lfPkNn AYtYrrG6tjEHe1gasLkjthB7c0YLzPLdNyZkNIk6XZ2YIhx18N80c7gTBERSJ1Sh 9lmsnX3+5GWM7Fx2NN2vL5xIEo0einMJCyTlNMRDLim2ix1vpZg= =RVf2 -----END PGP SIGNATURE----- . 6 ELS) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2303-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2303 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.6) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.6) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.6): Source: microcode_ctl-2.1-47.21.el7_6.src.rpm x86_64: microcode_ctl-2.1-47.21.el7_6.x86_64.rpm microcode_ctl-debuginfo-2.1-47.21.el7_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAkptzjgjWX9erEAQjQaxAAiXuFV2AZ5UNVNR29EFFEaHsHDTLaeYNm ibgw81yBpSZopPqtVYoznk9JAYc2YSrgbq0/BxC+rWHRTGPom5lZumlkqc+Nkjon sGx6SXU5q9M/nPutM/p5afTXNaHbZVQojjeP9VIpF1qz94JRcJisrumAW/sS27/v Ie6wqizvXNJZq30FOmgAq3vSXJpvakZYrBZoRvdm3MUx3rqiy/Sn62VtexeJoWJf 7BVF9y24rn2r9BuG6QNKGnYTxuUHAfcTAy5laJZ7EWdpEXcSZG6SV6x40Zdg6TaV 8x6PFSbvb2woGvWfFr5so9I92X1z9MCh4vQ5hmPnoHHREXpDKcDjvmfnStNkKD3F kOvf99Ph7E4Th/NhFwAczspiZEJYbvZ7ZenKQwWd2lGnEzFdPU5g5c3n+WVyN1qZ psD/uZlryQyIUyvRPowGppm/vJfyIiDKr+yUpq3AGscs9ASpnH6120ClaQx3KutT gpUbnKDxAW7UMlg5V4A9y5jJBgW8cZGH4qKc9KeDOj1MOjOhrfClInKhfqqY6YF1 8ulHpTKFyXzFjKBST1PKhCQQ2HhG74GoG147R0yHZw+9T0+o3ovlEQTxD2yVgGua 7LQ/vJotdgvBEaYoWTz6WwphiYQpFbbyQ6E0qplPVJMMmFKhDpNKS+ama5CHnfUF 6I3FlLzt1EU=YG8p -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56) and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot: (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31) If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)) We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDXan0ACgkQEMKTtsN8 Tja9aQ//f1dHsEghQsedGnkMCIa2qLi12UFtb4yW7TYV6uwloqbYZMbymvoXYOAB haasn+yCaGUkXuAHxcGvZuN41EkRhdG4LfS5qoZxPMsw84ETjpV2Ohwhuqwf9P20 9pqV1QLjVPCMiCqvHatkzyRNPtRhIh0uCRx5HtIeOEyKTwhVnUJrrljUXCzMDviD 3As0n0yVUPDIcJdaVxp5mxyebf1NyIYMR+7wmzTBOhK6i+rEE4NkKGkcsYBIM1ch AdTQNHv78QZld6ixL8iCUe1NsSugZ2QjbVL1BLW45fJv3f0BIF5uo6LBzbiJlN/6 xWwOdFTfqW1ORyr0k6JQ+yKz3oSE+jfUStwf+zegWOjYes5gGaA/nATzzNwwFfCQ qDqMmnN26qMI3MswP50ESkNs2JTK3955cIJjnscp5DeFArDuCFKh9wcqSZ46/QCE GVRi+F/Dh3JQxv/jP8jfLhCvkBptuendGo9qK5v22QoeCRoHS16dLu7HHP34hRrw k//EgtP35pD9eTNiIsxhmx3qTPD0gbQbcMG/5NTVtpNqsffAxYtqTy8+/4lfPkNn AYtYrrG6tjEHe1gasLkjthB7c0YLzPLdNyZkNIk6XZ2YIhx18N80c7gTBERSJ1Sh 9lmsnX3+5GWM7Fx2NN2vL5xIEo0einMJCyTlNMRDLim2ix1vpZg= =RVf2 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:3028-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3028 Issue date: 2021-08-09 CVE Names: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543) * hw: Vector Register Data Sampling (CVE-2020-0548) * hw: L1D Cache Eviction Sampling (CVE-2020-0549) * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: Information disclosure issue in Intel SGX via RAPL interface (CVE-2020-8695) * hw: Vector Register Leakage-Active (CVE-2020-8696) * hw: Fast forward store predictor (CVE-2020-8698) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1788786 - CVE-2020-0548 hw: Vector Register Data Sampling 1788788 - CVE-2020-0549 hw: L1D Cache Eviction Sampling 1827165 - CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS) 1828583 - CVE-2020-8695 hw: Information disclosure issue in Intel SGX via RAPL interface 1890355 - CVE-2020-8696 hw: Vector Register Leakage-Active 1890356 - CVE-2020-8698 hw: Fast forward store predictor 1897684 - [rhel-7.9.z] Re-enable 06-5e-03 (SKL-H/S, CPUID 0x506e3) latest microcode updates 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0543 https://access.redhat.com/security/cve/CVE-2020-0548 https://access.redhat.com/security/cve/CVE-2020-0549 https://access.redhat.com/security/cve/CVE-2020-8695 https://access.redhat.com/security/cve/CVE-2020-8696 https://access.redhat.com/security/cve/CVE-2020-8698 https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRD++tzjgjWX9erEAQhA1A//eeO88DFGpTcHgCHrsXimUtK3MZX0RppT 5UOWuXgmPJniMPDALpkfTNTnNGASjBB+WDclaW2d/sZf52PzYLao5wGVIYdUx3Nl l9IvbGNMm0F7eI7aHdT2QnUhQQl1IpJrbmkhvBM2w85EmOfqlq+CpXnJMRXzoRdv sFPrWAo1opDNnBV6iYAnyULHFuWwcvU28n3JU945W8p/PvqJgSze77i4dmpzYkBj ljzVrIUl2pizBmnQMj03JJ+YeB8+oKb0uD2RdqHoxkUSFGH9OW6s/qytHu/eR4uL Y7WmIfHUxGsVRcmIjo/VaAvvWs4A3hdOL3nGdRAMQOKp+VoDcX7VDNURoxK/bkcJ OepHSyfWPCVXvOmU5l2ov1uzVQ/F+ajeevMehuzwQlTAIur5qE2eQ2Mwitfh/7WZ W3x67peCz51zVPtb7rkQfpzQzZKkjSAAclOYMzltv2PA5vSXZy8+hEqWZwqtesQn ltz36bjQMvRRhr1yGDbaFI5dcTB8T/eIkzmD6wPfbd7r7SEuE0GUd8Yf69VghGL2 f+mvR8oWb2x3RHXbpFm4aIt5mJHqIgfXDAohz7lXgLyJwQefyeJ5w+W8nOe+ZSK/ yvfiVQZz9tvPq8yqC87YWTA7zcnhoSmPvXRicJakpfJL/oz043Tc17jqxIra36sA UjXnNBNse8A=LIYI -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 6 ELS) - i386, x86_64 3

Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. 6 ELS) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2301-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2301 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: microcode_ctl-2.1-22.39.el7_4.src.rpm x86_64: microcode_ctl-2.1-22.39.el7_4.x86_64.rpm microcode_ctl-debuginfo-2.1-22.39.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAhZtzjgjWX9erEAQgacA/8CSb4gKvVxCL/UEvQ8fD+Fuk7bVgGXgdl zfHALQmqxEvgcquECA1+0gVaALewsTbv0jYGt8ar3LXlNfdYvJyTZIkkTU7QPZX4 noIGXIk9Ljn6HDzNVq4+SzQGFhsy+eCyj0ksgLD1pYvSXZhMhIFoNs88qbn4vohF NWbr/79PFDN5Z8OD6eZ62dQuU0EBgR2/zQGhqEp2A5AIGyCpoGkeMjQbcEr8MTYw re11SdeDWdXudlgn6lCeVm1NB8/oaCRih7VTaNzHMTihyG2fS6Vfy9Tf1PcXXrZT 8r21wAISxES7QfMCxBB3jnlq+/3QYFG/dYLDZ8EDwa6ZCXyFRHirUQP6vrk9TG5k xVPIFH/QUwcWFaquGbvtpllAgn1tcSohpzMzDPqLIFSO031A1Xdn6JaYaUi9unO7 wOUS5MMYTJtXjQJ/lBjMFFCEMzGZ1VY74wwdHmyoBW9eA6DnfjTHsnhTpWvLbuHw fM0+/amC1YdZkMOmKWeSNkB0ESISQw6d7/pgT1px/ZyEktGtlnvOcybPpqVVFnnT 3llMAz6CW3UL59MvAvPk9dXKSeJBfsXVVQq21VVuNi/KHSE9tsYQnBgiVizDbrru npkQK4e+JU/GxTuioDK4/QrC89S9ZTvHcfiTFhpDt8DNxJdkmjjNi87m1UWfS1rL 3CqP9OqPU7Q=cruI -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Ren Zixing Network Technology Co., Ltd. is the most comprehensive provider of large-scale cyberspace security protection solutions in China. Ren Zixing's audit gateway has a command execution vulnerability. Attackers can use this vulnerability to execute arbitrary commands.

Archer C9 is a wireless router product. TP-LINK Archer C9 has a weak password vulnerability. Attackers can use vulnerabilities to log in to the background of the system to obtain sensitive information.

Four-Faith is a router product of Xiamen Four-Faith Communication Technology Co., Ltd. Four-Faith, Xiamen Four-Faith Communication Technology Co., Ltd. has a command execution vulnerability. Attackers can use this vulnerability to execute arbitrary commands.

DocuPrint is an all-in-one printer. Fujifilm Business Innovation (China) Co., Ltd. DocuPrint has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

China Telecom Group Co., Ltd. was established in September 2000. It is a large-scale state-owned communications enterprise in China and a global partner of the Shanghai World Expo. A weak password vulnerability exists in the backend configuration management of China Telecom's telecom gateway. Attackers can use this vulnerability to log in to the backend to obtain sensitive information.

DCME-120 is a new generation of high-performance Internet egress gateway launched by Beijing Digital China Cloud Information Technology Co., Ltd. using MIPS multi-core high-performance processors to meet the business needs of multiple users, multiple traffic, and multiple business types. Beijing Digital China Cloud Information Technology Co., Ltd. DCME-120 has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Ruijie Networks Co., Ltd. is a professional network manufacturer with a full range of network equipment product lines and solutions including switches, routers, software, security firewalls, wireless products, and storage. The RG-RAC200b wireless controller has a command execution vulnerability, which can be exploited by an attacker to gain server control authority.

Tenda AC11 is a wireless router that uses RTOS operating system. Shenzhen Jixiang Tengda Technology Co., Ltd. AC 11 has a binary vulnerability, which can be exploited by attackers to cause a denial of service.

Tenda AC11 is a wireless router that uses RTOS operating system. Shenzhen Jixiang Tengda Technology Co., Ltd. AC 11 has a binary vulnerability, which can be exploited by attackers to cause a denial of service.

Shenzhen Yichen Technology Co., Ltd. is a professional manufacturer and operator of network and communication equipment. JCG-wireless router has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Shenzhen Yichen Technology Co., Ltd. is a manufacturer and operator of network and communication equipment. JCG-wireless router has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

ZXV10 W815N is a wireless router of ZTE Corporation. ZTE Corporation ZXV10 W815N has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.