Preface: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029” in JavaScript contexts that also contain actions may not be properly sanitized during execution (CVE-2023-24540)

Background: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

OADP backs up Kubernetes/OpenShift objects and internal images by saving them as an archive file on object storage. OADP backs up persistent volumes (PVs) by creating snapshots. You can restore all objects in a backup or filter the restored objects by namespace, PV, or label. You can schedule backups at specified intervals.

The default OADP plugins enable Velero, a tool that’s used to integrate with certain cloud providers and to back up and restore OpenShift Container Platform resources.

Security Fix(es) from Bugzilla:

• golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

Affected Products

• OpenShift API for Data Protection 1 x86_64

Fixes

• BZ – 2196027 – CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
• OADP-1504 – oadp-1.0: Restoring pod using image from openshift build randomly ImagePullBackoff

Preface: The company was founded in 2007. MobileIron, he is early pioneer in mobile security and management for smartphones and tablet computers, such as iPhone, iPad, Android…etc.

Background: Core supports a number of application program interfaces (APIs):

• MobileIron WebService API
• MobileIron V2 API
• MobileIron ServiceConnect API

The MobileIron V2 API is a RESTful API you use to send HTTPS requests to get data from and provide data to MobileIron. The MobileIron V2 API requires basic authentication to authorize API calls. Each API call requires that the credentials you use for basic authentication belong to a user who has been assigned the necessary role to make that particular call. If some misuse, cyber security matter will be occurred.

Vulnerability details: Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023.

Ref: RESTful APIs often use authentication and session management to verify the identity of users and maintain their state across multiple requests. However, if these mechanisms are not implemented correctly, attackers can exploit them to gain unauthorized access to sensitive data or functionality.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-35078

Preface: We can only use the Neural Engine through Core ML. Core ML is the foundation for domain-specific frameworks and functionality. You can build and train a model with the Create ML app bundled with Xcode. Models trained using Create ML are in the Core ML model format and are ready to use in your app.

Background: Core ML is the foundation for domain-specific frameworks and functionality. Frameworks are self-contained, reusable chunks of code and resources you can import into many apps. You can even share them across iOS, tvOS, watchOS and macOS apps. When combined with Swift’s access control, frameworks help define strong, testable interfaces between code modules.

Ref: Frameworks are self-contained, reusable chunks of code and resources you can import into many apps. You can even share them across iOS, tvOS, watchOS and macOS apps. When combined with Swift’s access control, frameworks help define strong, testable interfaces between code modules.

Vulnerability details: Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Ref: The iPhone 14’s A15 chip has a 6-core CPU, 5-core GPU, and a 16-core Neural Engine.

Official announcement: For details, please refer to link – https://support.apple.com/en-us/HT213841

Preface: The x86-64-AMD Ryzen Zen 2 CPU is a microprocessor architecture developed by AMD. It is based on the Zen microarchitecture, which was first introduced in 2017. The Zen 2 architecture features a number of improvements over the previous generation, including higher performance, lower power consumption, and support for new features such as PCIe 4.0 and DDR5 memory. It is commonly used in desktops, laptops, and servers.

AMD is still releasing Zen2 CPUs in 2022, its AM4 shifting to the mainstream, and Zen4 occupies the high-end space.

Background: Zen 2 microarchitecture – The EPYC 7742 Rome processor has a base CPU clock of 2.25 GHz and a maximum boost clock of 3.4 GHz. There are eight processor dies (CCDs) with a total of 64 cores per socket.

Vulnerability details: Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

Ref: AVX uses sixteen YMM registers to perform a single instruction on multiple pieces of data (see SIMD). Each YMM register can hold and do simultaneous operations (math) on: eight 32-bit single-precision floating point numbers or. four 64-bit double-precision floating point numbers.

Ref: If your whole program doesn’t use any non-VEX instructions that write xmm registers, you don’t need vzeroupper to avoid state-transition penalties.

Official announcement: For details, please refer to link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Preface: How does IO uring work? It works by creating two circular buffers, called “queue rings”, for storage of submission and completion of I/O requests, respectively. For storage devices, these are called the submission queue (SQ) and completion queue (CQ).

Background: io_uring can handle various I/O related requests. for example:

• File related: read, write, open, fsync, fallocate, fadvise, close
• Network related: connect, accept, send, recv, epoll_ctl
• Etc…

How io_uring is implemented in the kernel? io_uring has two options when it is created, corresponding to the different ways io_uring handles tasks:

• After turning on IORING_SETUP_IOPOLL, io_uring will use polling to perform all operations.
• After enabling IORING_SETUP_SQPOLL, io_uring will create a kernel thread dedicated to harvesting tasks submitted by users.

Vulnerability details: A vulnerability was found due to missing lock for IOPOLL flaw in io_cqring_event_overflow() in io_uring[.]c in Linux Kernel. This flaw allows a local attacker with user privilege to trigger a Denial of Service threat.

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-2430

Preface:  In Oracle Database, you can store and execute Java code directly in the database using Oracle Java Virtual Machine (OJVM). You can take your Java code, put it into the database and execute it.

Background: You can extend a relational database’s storage, indexing, and searching capabilities to include semistructured and nonstructured data (including Web Services) in addition to enabling federated data. By calling Web Services, the database can track, aggregate, refresh, and query dynamic data produced on-demand, such as stock prices, currency exchange rates, and weather information.

The Web services client code is written in SQL, PL/SQL, or Java to run inside Oracle Database, which then calls the external Web service. You can call a Web service from a Java client within the database, using one of the following methods:

• SQL and PL/SQL call specifications
• Pure Java static proxy class
• Pure Java using dynamic invocation interface (DII) over JAX-RPC

For Web services call-outs using PL/SQL, use the UTL_DBWS PL/SQL package. This package essentially uses the same application programming interfaces (APIs) as the DII classes.

Vulnerability details: Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data.

Supported Versions Affected: 19.3-19.19, 21.3-21.10

Official announcement: For details, please refer to the link – https://www.oracle.com/security-alerts/cpujul2023.html

Background: Use Citrix Gateway with StoreFront to provide secure remote access for users outside the corporate network and Citrix ADC to provide load balancing.

*Citrix StoreFront is an enterprise application store that provides an interface for users to access XenDesktop and XenApp virtual desktops and applications remotely.

How do I access Citrix StoreFront? On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile. Select the Stores node in the right pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.

Vulnerability details: An attacker can exploit design weakness to execute code remotely without authentication.

Design flaws arise under specified conditions: Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Ref: StoreFront includes a Cross Site Request Forgery (CSRF) token in the query string of a few URLs. A security concern might arise because the tokens might be retained in the browser history or in the logs of intermediate devices, such as proxy servers.

Official announcement: For details, please refer to the link – https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Preface: What is Kerberos authentication in database? Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.

Background: The Oracle Advanced Networking Option is an optional product that provides enhanced functionality to SQL*Net. Its set of features provides enhanced security and authentication to your network, enables integration with a Distributed Computing Environment (DCE), and provides access to native directory services through Native Naming Adapters.

Vulnerability details: CVE-2023-21949 – Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Advanced Networking Option accessible data. CVSS 3.1 Base Score 3.7 (Integrity impacts). 

Since Oracle didn’t provide details. But I speculate that this is one of the possibilities leading to the vulnerability. For details, please refer to attached diagram.

Ref: A vulnerability in the Kerberos authentication feature of oracle authentication server adapter could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected DB server that is configured to perform Kerberos authentication for remote or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the authentication server. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.

Official announcement: For details, please refer to the link – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21949

Preface: Since the software device will be customized by the manufacturer. So-called OS and even web server hardening will be done by the manufacturer. If the web server and SQL packages contain design flaws (so-called multiple vulnerabilities). Sometimes there is no workaround. Need to be patched. But manufacturers of cyber defense utilities were quick to react. Their product design weaknesses will be fixed immediately.

Background: By w3techs.com statistics, Apache is used by 31.4% of all the websites whose web server we know. What is SonicWall Global Management System?

SonicWall Global Management System (GMS) solves these challenges. GMS integrates management and monitoring, analytics, forensics and audit reporting. This forms the foundation of a security governance, compliance and risk management strategy.

Security Focus: CVE-2023-34124 – The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass.

Tomcat become web server of GMS/Analyze by design. It can straight seen as administrator front end console/dashboard. When vulnerabilities occurs in Tomcat. It is hard to avoid burden the downstream services.

The manufacturer did not specify. See if it can find the root cause.

Perhaps multiple vulnerabilities on Tomcat/Apache burden Sonicwall GMS/Analyze!

Below is my observation:

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm.

I believe the manufacturer is very concerned about this place. If the client code calls HttpServletRequest#logout(), it is delegated to getContext().getAuthenticator().logout(this); but AuthenticatorBase#logout(Request) never calls TomcatPrincipal#logout() to free resources.

Vulnerability details: SonicWall has identified four critical vulnerabilities (CVE-2023-34124, CVE-2023-34133, CVE-2023-34134, and CVE-2023-34137) that could allow an unauthenticated attacker to bypass authentication and potentially access Sensitive information on vulnerable websites. An on-prem system running GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier.

Official announcement: For details, please refer to the link – https://www.sonicwall.com/support/notices/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/