Preface: Before you start reading. Perhaps below two different url will lure your interest of this article. Please read 1 first, then 2

1:vCenter Server Appliance Web Console (VAMI) is removed from vCenter Server 6.0  – https://kb.vmware.com/s/article/2120477

2:Change VCSA 6.7 SSH port – https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-VCSA-6-7-SSH-port/td-p/1861744

Ref: The vCenter Server appliance is a preconfigured virtual machine that is optimized for running vCenter Server and the associated services. The vCenter Server appliance package contains the following software: Photon OS^® 3.0. The vSphere authentication services. PostgreSQL.

Background: What is the difference between vCenter and vCloud director? A vCenter admin can see virtual data centers, which are logical units for management, a vCloud Director user (tenant) can see only organizational data centers, catalogs, users, and options to manage a virtual organizational data center.

Vulnerability details: VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.Known Attack Vectors On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.

Official announcement: Please refer to the link for details –

https://www.vmware.com/security/advisories/VMSA-2023-0026.html

Preface: The technology trend driven transformation in mobile communication world in global. Not only will mobile devices require more RAM to handle 5G-enabled multimedia applications and tasks, As a result, enhancing memory is key to unlocking the 5G future!

Background: The free5GC is an open-source project for 5th generation (5G) mobile core networks. The ultimate goal of this project is to implement the 5G core network (5GC) defined in 3GPP Release 15 (R15) and beyond.

What is 3GPP standard release 15? 3GPP Rel. 15 will update the MC service requirements of the railway and maritime industries. Low-power machine connectivity across trains, ships, and other automobiles will improve, leaving less room for error in critical transmissions and navigation pathway sharing.

Vulnerability details: Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-47346

Preface: When we see new vulnerability information posted on forums or NVD. According to market practice, suppliers have provided patches to customers in advance. Maybe they already received the patch earlier (few weeks ago). But a lot of vulnerability items not intend to disclose the details. Perhaps this is the way. It will reduce the attack ratio. But for the people who have interest to know. For sure it will increase the time to conduct the analytic. We believe Artificial Intelligence is powerful. But if it do not have related information.  AI also cannot provide a precise the answer.

Background: Oracle EBS applications are delivered from servers, databases, storage, and applications hosted in your local network, on-premises. Why use Oracle EBS? Oracle EBS enables organizations to manage their procurement process, from purchasing to invoicing and payment. Supply chain management. Oracle EBS provides a complete solution for managing the supply chain, including inventory management, order management, and logistics. Human resources.

Vulnerability details: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: UI Components). Supported versions that are affected are ECC: 8, 9 and 10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Command Center Framework accessible data as well as unauthorized read access to a subset of Oracle Enterprise Command Center Framework accessible data.

CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).

CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Remark: The vendor did not provide details of CVE-2023-22107. Will similar vulnerabilities occurs in attached diagram scenarios?

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-22107

https://www.oracle.com/security-alerts/cpuoct2023.html

Preface: While ActiveMQ is a traditional message broker, Apache Kafka is a distributed streaming platform designed to handle high-velocity, high-volume, and fault-tolerant data streams. It was originally developed at LinkedIn and later donated to the Apache Software Foundation.

Background: ActiveMQ is open source, message-oriented middleware (MoM). It was written in Java with a full JMS (Java Message Service) client.  OpenWire is the native protocol that Apache ActiveMQ uses. Message brokers, like ActiveMQ, can filter and process individual events.

Vulnerability details: Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Remedy: Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-46604

Critical: Red Hat AMQ Broker 7.11.4 release and security update – https://access.redhat.com/errata/RHSA-2023:6879

Critical: Red Hat AMQ Broker 7.10.5 release and security update – https://access.redhat.com/errata/RHSA-2023:6878

Critical: security update jboss-amq-6/amq63-openshift container image – https://access.redhat.com/errata/RHSA-2023:6877

Critical: jboss-amq-6-amq63-openshift-container security update – https://access.redhat.com/errata/RHSA-2023:6866

Preface: ARM’s Mali GPUs can be found in smartphones from different brands, including Samsung, Xiaomi, and Oppo. Mali GPUs can be seen on MediaTek, HiSilicon Kirin, and Exynos SOCs

Background: When memory is freed, all pointers into it become invalid, and its contents might either be returned to the operating system, making the freed space inaccessible, or remain intact and accessible.

Vulnerability details: A local non-privileged user can make GPU processing operations that expose sensitive data from previously freed memory.

As usual, the GPU manufacturer did not disclose the details of the vulnerability. So, let’s see if we can narrow down the problem based on limited information and design architecture. Thus, speculate on possible causes.

My observations: Refer to the original design of kernel file (mali_kbase_core_linux[.]c). See below details.

The driver counts the number of FIXABLE and FIXED allocations because they’re not supposed to happen at the same time. However, that is not a security concern: nothing bad happens if the two types of allocations are made at the same time. The only reason why the driver is guarding against them is because there’s no client use case that is supposed to need both of them at the same time, and the driver wants to help the user space catch some obvious mistake.

The driver is able to switch from FIXABLE allocations to FIXED and vice versa, if all the allocations of one kind are freed before trying to create allocations of a different kind.

Consequence: Maybe this will cause a vulnerability to occur.

Official announcement: Please refer to the link for details –

https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

Preface: Banking industry core applications large portion running on IBM zSystems. The operations including transactional and batch, maintain systems-of-record (SOR) data. Financial Institutions, government organizations, and others have been operating, maintaining, and updating their COBOL applications for many years. The reason behind is that COBOL remains valid while functioning or competing with other modern languages.

Background: IBM CICS® TX is a comprehensive, single package of a transactional runtime with a COBOL compiler enabled on Red Hat® OpenShift®. CICS TX is an effective and efficient way to move your distributed platform transactional applications into the cloud. IBM® CICS® TX Advanced (CICS TX) is a mixed-language application server that provides cloud deployment options for suitable CICS applications using docker and orchestration using Kubernetes.

Vulnerability details: IBM CICS TX performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Cause: “Unrestricted Internet Access/Outbound Connections” affects IBM CICS TX Standard and IBM CICS TX Advanced. IBM CICS TX Standard and IBM CICS TX Advanced have addressed the applicable vulnerability.

Remedy: For network ingress to a CICS TX region, there are several ports to consider:

• Port 1435 for connecting to region’s listener
• Port 3270 for cicsteld
• Port 9087 for metrics collection
• Port 9443 for admin console
• Port 2379 for the controller (applies only to CICS TX Standard version)

Network egress is more complex. Examples of network egress which you might want to consider:

• Other CICS TS / CICS TX regions
• Connecting to CICS TX Standard Controller (applies only to CICS TX Standard version)

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-43018

Preface: The payment systems based on a distributed architecture will be enhanced efficient and scalable. Therefore, distributed ledger technology (DLT) will become a trend in future. The DLT Pilot Regime defines “tokenization of financial instruments” as a process that involves the conversion of traditional financial asset classes into digital tokens that can be stored, transferred and traded on distributed ledgers. Apart from DLT, there is other option in the market. NATS makes it easy for applications to communicate by sending and receiving messages. These messages are addressed and identified by subject strings, and do not depend on network location. Data is encoded and framed as a message will be sent by a sender (original destination).

Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. Vulnerability details: The nkeys library’s “xkeys” encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use.  As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.

Within the nats-server, the encryption is used for the Auth Callouts feature, introduced with 2.10.0 (September 2023). The Auth Callout request includes the supplied user password. These messages are sent within NATS, and should typically be in a dedicated NATS Account used for callouts, but this is not required. Thus in scenarios where the Callouts are in an account shared with untrusted users or where the callout responders connect without TLS, this may lead to user credential exposure.

Affected versions:

nkeys Go library:

 * 0.4.0 up to and including 0.4.5

 * Fixed with nats-io/nkeys: 0.4.6

NATS Server:

 * 2.10.0 up to and including 2.10.3

 * Fixed with nats-io/nats-server: 2.10.4

Official announcement: Please refer to the link for details – https://advisories.nats.io/CVE/secnote-2023-02.txt