Preface: Forward proxy is used to forward traffic from a client to the internet, while a reverse proxy is used to forward traffic from the internet to a web server.

Background: A reverse proxy is a server, app, or cloud service that sits in front of one or more web servers to intercept and inspect incoming client requests before forwarding them to the web server and subsequently returning the server’s response to the client.

The HTTP specification provides two different ways to specify the end of a request: Content-Length and Transfer-Encoding. Classic request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP/1 request and manipulating these so that the front-end and back-end servers process the request differently.

Vulnerability details: Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

Remedy: Upgrading to version 8.5.96, 9.0.83, 10.1.16 or 11.0.0-M11 eliminates this vulnerability.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-46589

Preface: Prefetching means that monitors the memory access pattern of the running program and tries to predict what data the program will access next and prefetches that data.

The Spatial Memory Streaming, a practical on-chip hardware technique that identifies code- correlated spatial access patterns and streams predicted blocks to the primary cache ahead of demand misses.

Background: Software that performs secret-based memory access is vulnerable to well-known cache-based side channel attacks, which can be used to extract secrets based on memory access patterns.

Vulnerability details: Arm reserved CVE-2023-33936 for this issue, however, the Arm PSIRT is not aware of any implementation which strictly adheres to the earlier specification of FEAT_CSV2 and therefore no Arm-based CPUs are thought to be affected by this change. 

Security Focus: Under certain conditions, it may be possible for code in one hardware-defined context to leak to the speculative execution of code in a different hardware-defined context using virtual address-based cache prefetch predictions.

Affected Products: Under the new guidance in section B2.2.3.11 which will be updated in the next public release of the ArmARM, the Arm PSIRT is not aware of any products affected under the revised specification.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Prefetcher%20Side%20Channels

Preface: Since we have virtual machines, memory management is more difficult to manage. Maybe you disagree. Yes, in theory, the effective memory type is determined by the PAT entry value and the MTRR value.

Background: The hypervisor (HV) virtualizes real physical memory so an unmodified OS (such as Linux or Android) that is running in a virtual machine can manage its own contiguous physical memory. The ACRN Hypervisor is a Type 1 hypervisor, running directly on bare-metal hardware. Examples of popular bare-metal hypervisors are Microsoft Hyper-V, Citrix XenServer and VMware ESXi. In ACRN, the hypervisor only virtualizes MTRRs fixed range (0~1MB). The HV sets MTRRs of the fixed range as Write-Back for a User VM, and the Service VM reads native MTRRs of the fixed range set by BIOS.

The INVD instruction is a privileged instruction. When the processor is running in protected mode, the CPL of a program or procedure must be 0 to execute this instruction.

Vulnerability details: Improper or unexpected behavior of the INVD instruction in some AMD CPUs may allow an attacker with a malicious hypervisor to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine (VM) memory integrity.

Mitigation:

No mitigation is available for the first or second generations of EPYC™ processors (“Zen 1”, formerly codenamed “Naples”, “Zen 2”, formerly codenamed “Rome”) since the SEV and SEV-ES features are not designed to protect guest VM memory integrity and the SEV-SNP is not available.

As a mitigation for the potential vulnerability, AMD has provided a hot-loadable microcode patch and updated the firmware image for AMD 3rd generation EPYC™ processors (“Zen 3” microarchitecture, formerly codenamed “Milan”) for customers with the AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) feature enabled.  No performance impact is expected from the patch.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-20592

Preface: How is JavaScript different from Java? · Java is an OOP programming language, and Javascript is an OOP description language.

Background: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWT is suitable for stateless scenarios and APIs, while server-side tokens work best for session-based authentication in web applications.

Vulnerability details: The fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, fast-jwt library does not properly prevent JWT algorithm confusion for all public key types.

The ‘publicKeyPemMatcher’ in ‘fast-jwt/src/crypto[.]js’ does not properly match all common PEM formats for public keys. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application.

Attack scenario: This attack will only work if the victim application utilizes a public key containing the `BEGIN RSA PUBLIC KEY` header. Applications using the RS256 algorithm, a public key with a `BEGIN RSA PUBLIC KEY` header, and calling the verify function without explicitly providing an algorithm, are vulnerable to this algorithm confusion attack which allows attackers to sign arbitrary payloads which will be accepted by the verifier.

Solution: Version 3.3.2 contains a patch for this issue.

Workaround: As a workaround, change line 29 of `blob/master/src/crypto[.]js` to include a regular expression.

Official announcement: Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-48223

Preface: The term cloud native refers to the concept of building and running applications to take advantage of the distributed computing offered by the cloud delivery model. Cloud native involves cloud technologies like microservices, container orchestrators, and auto scaling. AMD 4th Gen EPYC CPU EPYC 97X4 processors, with up to 128 cores, deliver up to 3.7x throughput performance for key cloud native workloads.

Background: AMD EPYC™ 9004 Series Processors represent the fourth generation of AMD EPYC server-class processors. The 4th Gen AMD EPYC processors with AMD 3D V-Cache technology further extend the AMD EPYC 9004 Series of processors to deliver the world’s best x86 CPU for technical computing workloads such as computational fluid dynamics (CFD), finite element analysis (FEA), electronic design automation (EDA) and structural analysis.

Vulnerability details: AMD Processors could allow a local authenticated attacker to bypass security restrictions, caused by an use-after-free vulnerability in the management of an SNP guest context page. By sending a specially crafted request, an attacker could exploit this vulnerability to masquerade as the guest’s migration agent resulting in a potential loss of guest integrity.

Platforms Affected:
AMD 3rd Generation EPYC
AMD 4th Generation EPYC

Official announcement: Official details: Please refer to the link for details –https://www.supermicro.com/en/support/security_AMD_Nov_2023?mlg=0

Preface: As a PostgreSQL database’s workload increases, the instance’s memory usage increases. Instances that consume lots of memory can create a performance bottleneck that can sometimes lead to out-of-memory issues. An integer overflow occurs when you attempt to store inside an integer variable a value that is larger than the maximum value the variable can hold. The C standard defines this situation as undefined behavior. Refer to posgreSQL manual, user-defined functions can be written in C (or a language that can be made compatible with C, such as C++).

Background: PostgreSQL is a powerful, open source object-relational database system. Besides, PostgreSQL is a relational database. It stores data points in rows, with columns as different data attributes. A table stores multiple related rows.

PostgreSQL memory components are broadly divided into two sections:

1.Global memory: this is shared across all processes to execute queries; for example, shared_buffers and max_connections.

2.Local memory: this is dedicated memory assigned to each connection; for example, work_mem, maintenance_work_mem, and temp_buffers.

Vulnerability details: While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

About CVE-2021-32027: A flaw was found in postgresql. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Fixed In Version: PostgreSQL 16.1, PostgreSQL 15.5, PostgreSQL 14.10, PostgreSQL 13.13, PostgreSQL 12.17 and PostgreSQL 11.22

Official announcement: Official details: Please refer to the link for details –

https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

Preface: The REP MOVSB/STOSB instruction can enhance fast strings attempts to move as much of the data with larger size load/stores as possible. So, a patch exposes ERMS feature to KVM guests in June 2011.

Background: REP is a prefix that makes the processor repeat the following instruction. It decrements the RCX register each time the following instruction is executed until RCX reaches zero. REP MOVSB assembles to just two bytes of machine code, ‘F3’ and ‘A4’ in hex, so it’s an incredibly concise way of doing a data copy.

When there is an overlap between the source and destination regions, software may need to use memmove instead of memcpy to ensure correctness. It is possible to use REP MOVSB in conjunction with the direction flag (DF) in a memmove() implementation to handle situations where the latter part of the source region overlaps with the beginning of the destination region. However, setting the DF to force REP MOVSB to copy bytes from high towards low addresses will experience significant performance degradation.

Ref: What is the purpose of the direction flag? This flag is used to determine the direction (‘forward’ or ‘backward’) in which several bytes of data will be copied from one place in the memory, to another. The direction is important mainly when the original data position in memory and the target data position overlap.

Vulnerability details: Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege from CPL3 to CPL0.

Remediation: Intel is providing a microcode update to mitigate this issuehttps://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 

Official details: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-23583

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

Citrix Hypervisor Security Bulletin for CVE-2023-23583 and CVE-2023-46835 – https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bulletin-for-cve202323583-and-cve202346835

Preface: Before you start reading. Perhaps below two different url will lure your interest of this article. Please read 1 first, then 2

1:vCenter Server Appliance Web Console (VAMI) is removed from vCenter Server 6.0  – https://kb.vmware.com/s/article/2120477

2:Change VCSA 6.7 SSH port – https://communities.vmware.com/t5/VMware-vCenter-Discussions/Change-VCSA-6-7-SSH-port/td-p/1861744

Ref: The vCenter Server appliance is a preconfigured virtual machine that is optimized for running vCenter Server and the associated services. The vCenter Server appliance package contains the following software: Photon OS^® 3.0. The vSphere authentication services. PostgreSQL.

Background: What is the difference between vCenter and vCloud director? A vCenter admin can see virtual data centers, which are logical units for management, a vCloud Director user (tenant) can see only organizational data centers, catalogs, users, and options to manage a virtual organizational data center.

Vulnerability details: VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.Known Attack Vectors On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.

Official announcement: Please refer to the link for details –

https://www.vmware.com/security/advisories/VMSA-2023-0026.html