Preface: Banking industry core applications large portion running on IBM zSystems. The operations including transactional and batch, maintain systems-of-record (SOR) data. Financial Institutions, government organizations, and others have been operating, maintaining, and updating their COBOL applications for many years. The reason behind is that COBOL remains valid while functioning or competing with other modern languages.

Background: IBM CICS® TX is a comprehensive, single package of a transactional runtime with a COBOL compiler enabled on Red Hat® OpenShift®. CICS TX is an effective and efficient way to move your distributed platform transactional applications into the cloud. IBM® CICS® TX Advanced (CICS TX) is a mixed-language application server that provides cloud deployment options for suitable CICS applications using docker and orchestration using Kubernetes.

Vulnerability details: IBM CICS TX performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Cause: “Unrestricted Internet Access/Outbound Connections” affects IBM CICS TX Standard and IBM CICS TX Advanced. IBM CICS TX Standard and IBM CICS TX Advanced have addressed the applicable vulnerability.

Remedy: For network ingress to a CICS TX region, there are several ports to consider:

• Port 1435 for connecting to region’s listener
• Port 3270 for cicsteld
• Port 9087 for metrics collection
• Port 9443 for admin console
• Port 2379 for the controller (applies only to CICS TX Standard version)

Network egress is more complex. Examples of network egress which you might want to consider:

• Other CICS TS / CICS TX regions
• Connecting to CICS TX Standard Controller (applies only to CICS TX Standard version)

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-43018

Preface: The payment systems based on a distributed architecture will be enhanced efficient and scalable. Therefore, distributed ledger technology (DLT) will become a trend in future. The DLT Pilot Regime defines “tokenization of financial instruments” as a process that involves the conversion of traditional financial asset classes into digital tokens that can be stored, transferred and traded on distributed ledgers. Apart from DLT, there is other option in the market. NATS makes it easy for applications to communicate by sending and receiving messages. These messages are addressed and identified by subject strings, and do not depend on network location. Data is encoded and framed as a message will be sent by a sender (original destination).

Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. Vulnerability details: The nkeys library’s “xkeys” encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use.  As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.

Within the nats-server, the encryption is used for the Auth Callouts feature, introduced with 2.10.0 (September 2023). The Auth Callout request includes the supplied user password. These messages are sent within NATS, and should typically be in a dedicated NATS Account used for callouts, but this is not required. Thus in scenarios where the Callouts are in an account shared with untrusted users or where the callout responders connect without TLS, this may lead to user credential exposure.

Affected versions:

nkeys Go library:

 * 0.4.0 up to and including 0.4.5

 * Fixed with nats-io/nkeys: 0.4.6

NATS Server:

 * 2.10.0 up to and including 2.10.3

 * Fixed with nats-io/nats-server: 2.10.4

Official announcement: Please refer to the link for details – https://advisories.nats.io/CVE/secnote-2023-02.txt

Preface: Government agencies and companies in emerging tech, finance, healthcare, and other industries use Red Hat® products and services. OpenShift gives organizations the ability to build, deploy, and scale applications faster both on-premises and in the cloud. It also protects your development infrastructure at scale with enterprise-grade security.

Background: Skupper is a layer 7 service interconnect. It enables secure communication across Kubernetes clusters with no VPNs or special firewall rules. With Skupper, your application can span multiple cloud providers, data centers, and regions. The Skupper Operator creates and manages Application Interconnect sites in Kubernetes. Skupper operator that simply produces the bundle and the index images. Its goal is to avoid introducing a new CRD, just relying on the site-controller to kick things off based on an existing skupper-site ConfigMap.

Ref: The primary grouping concept in Kubernetes is the namespace. Namespaces are also a way to divide cluster resources between multiple uses. That being said, there is no security between namespaces in Kubernetes; if you are a “user” in a Kubernetes cluster, you can see all the different namespaces and the resources defined in them.

Vulnerability details: A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user’s purview.

Additional: If the skupper operator is running and a user in a given namespace creates a ConfigMap with the name skupper-site and includes in the data the line, `cluster-permissions: “true”`, then the operator will  create a service account in that namespace that has cluster permissions enabling it to watch deployments in all namespaces on the cluster. This is the case even if the user creating that ConfigMap does not themselves have access to other namespaces.

Official announcement: Please refer to the link for details – https://access.redhat.com/errata/RHSA-2023:6219

Preface: Many users agree that learning Apex is simpler than learning Java because there is less syntax.

Background: Apex is a proprietary language developed by Salesforce.com. It is a strongly typed, object-oriented programming language that allows developers to execute flow and transaction control statements on the Force.com platform server in conjunction with calls to the Force.com API.

Remark: If file (libdexfile[.]so) is belongs APEX_MODULE_LIBS. Whereby, I change my security focus appoint to APEX proprietary language.

Vulnerability details: In libdexfile, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Remark: Due to the limited details released in the vulnerability advisory. See if attached diagram situations can trigger similar faults?

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-21372

Preface: Quick comparison of Windows (IoRing) and Linux (io_uring):

Windows: The kernel fully initializes the new ring, including the creation of both queues and creating a shared view in the application’s user-mode address space, using an MDL (memory descriptor list).

Linux: In the Linux io_uring implementation, the system creates the requested ring and the queues but does not map them into user space. The application is expected to call mmap(2) using the appropriate file descriptors to map both queues into its address space, as well as the SQE array, which is separate from the main queue.

Background: A potential performance benefit of io_uring for network I/O is reducing the number of syscalls.

Vulnerability details: An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo[.]c io_uring_show_fdinfo NULL pointer dereference can occur.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-46862

Observation: Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic.

Many io_uring features are available in Red Hat Enterprise Linux 9.3, which is distributed with kernel version 5.14.

Since the CVSS score has not yet been defined. But we know the vulnerability will occur during a proof-of-concept exercise. Maybe, a local attack (rather than a remote attack). But we should fix this design flaw immediately.

Preface: Microsoft has been a mainstay of the computer systems world for more than four decades. At the same time, it also promotes the development of the Internet and other technologies. About fifteen years ago, virtual machines led the way, bringing the concept into the business world and successfully fending off mainstream cybersecurity attacks. It seems that the computer system has quietly transformed into a virtual world. Maybe you will say because of cloud technology. The collaboration between network technology and cloud computing creates another potential opportunity for open source network software to jump into the competition.

Background: FRRouting (FRR) is a free and open source Internet routing protocol suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS, PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for EIGRP and NHRP.

The FRR suite consists of various protocol-specific daemons and a protocol-independent daemon called zebra. Each of the protocol-specific daemons are responsible for running the relevant protocol and building the routing table based on the information exchanged.

Remark: zebra is an IP routing manager. It provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.

Vulnerability details: An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-46753

Preface: You can configure the nginx ingress controller in various ways. To use the Openstack load balancer Octavia with ssl offloading you will need to configure the ingress controller with the proxy protocol. The alternative would be to use the Openstack service barbican to store your ssl certificate. Which is currently not directly supported by Kubernetes.

Background: The Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.

Vulnerability details: A security issue was identified in ingress-nginx where the nginx[.]ingress[.]Kubernetes[.]io/permanent-redirect annotation on an Ingress object (in the networking[.]k8s[.]io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Affected Versions : <v1.9.0

Versions allowing mitigation: v1.9.0

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5044

Preface: VMware Aria Operations™ for Logs (formerly VMware vRealize® Log Insight™) analyzes complex log management through dashboards to provide shortest path to identify the problem.

Background: What is aria operations for logs? Centralized Log Management VMware Aria Operations for Logs. Manage data at scale with centralized log management, deep operational visibility, and intelligent analytics for troubleshooting and auditing across environments. Protocol that the agent uses to send log events to the Aria Operations for Logs server. The possible values are cfapi and syslog. The default is cfapi. Ingestion API (CFAPI) The ingestion API provides several advantages over the syslog protocol including the ability to collect statistical and operational information about the agents directly in the server UI and also allows for server-side configurations to be pushed to agents. vRealize Log Insight uses Apache Thrift for node-to-node communication.

Vulnerability details: VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Additional: The code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, it will trigger a PakUpgradeCommand for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution.

Official announcement: Please refer to the link for details –https://nvd.nist.gov/vuln/detail/CVE-2023-34051