Guilherme De Almeida Suckevicz

**Name of the Vulnerable Software and Affected Versions** Performance Co-Pilot (PCP) versions 4.3.4 and newer **Description** The issue is related to the pmproxy component of the Performance Co-Pilot (PCP) software, which is used for monitoring and visualizing performance. It involves the exposure of information in an error data area, potentially allowing a remote attacker to execute arbitrary commands. The default pmproxy configuration exposes the Redis server backend to the local network, enabling remote command execution with the privileges of the Redis user. This can only be exploited when pmproxy is running, which is not the default state and requires manual startup, often from the 'Metrics settings' page of the Cockpit web interface. **Recommendations** For PCP versions 4.3.4 and newer, consider disabling the pmproxy service until a patch is available to prevent exploitation. Restrict access to the Redis server backend to minimize the risk of remote command execution. As a temporary workaround, avoid starting the pmproxy service from the 'Metrics settings' page of the Cockpit web interface unless necessary. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cockpit versions 270 and newer **Description** A flaw was found in Cockpit, where deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue allows an attacker to execute arbitrary commands. **Recommendations** For Cockpit versions 270 and newer, consider disabling the sosreport deletion feature via the Cockpit web interface until a patch is available. Restrict access to the Cockpit web interface to minimize the risk of exploitation. Avoid using crafted names when deleting sosreports to prevent command injection.

**Name of the Vulnerable Software and Affected Versions** glibc versions 2.37 and newer **Description** The issue is related to an integer overflow in the ` vsyslog internal` function of the glibc library, which is called by the `syslog` and `vsyslog` functions. This occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. **Recommendations** For glibc versions 2.37 and newer, consider disabling the ` vsyslog internal` function or restricting the use of the `syslog` and `vsyslog` functions until a patch is available. Additionally, avoid using very long messages with these functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** glibc versions 2.37 and newer **Description** The issue is related to an off-by-one heap-based buffer overflow in the ` vsyslog internal` function of the glibc library. This function is called by the `syslog` and `vsyslog` functions. The overflow occurs when these functions are called with a message bigger than INT MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. **Recommendations** For glibc versions 2.37 and newer, consider disabling the ` vsyslog internal` function as a temporary workaround until a patch is available. Restrict the size of messages passed to the `syslog` and `vsyslog` functions to prevent buffer overflows. Avoid using messages bigger than INT MAX bytes in the affected functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libvpx versions prior to 1.13.1 **Description** The issue is related to the mishandling of widths in the VP9 codec of the libvpx library, leading to a crash related to encoding. This can be exploited by a remote attacker using a specially crafted HTML page, potentially causing a denial of service. **Recommendations** For versions prior to 1.13.1, update to version 1.13.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the VP9 codec until a patch is available.

**Name of the Vulnerable Software and Affected Versions** glibc (affected versions not specified) **Description** A flaw was found in glibc, where the `getaddrinfo` function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the ` nss * gethostbyname2 r` and ` nss * getcanonname r` hooks without implementing the ` nss * gethostbyname3 r` hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the `getaddrinfo` function should have the `AF INET6` address family with `AI CANONNAME`, `AI ALL`, and `AI V4MAPPED` as flags. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libtiff (affected versions not specified) **Description** The issue is related to a heap-based buffer overflow in the tiffcp utility distributed by the libtiff package. This occurs when a crafted TIFF file is processed, potentially leading to an application crash. The vulnerability is associated with the `cpStripToTile()` function in the `tools/tiffcp.c` file of the LibTIFF library. Exploitation of this vulnerability may allow an attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openCryptoki (affected versions not specified) **Description** A flaw was found in openCryptoki, where the openCryptoki Soft token does not validate the EC key when it is created via C CreateObject or when C DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** logrotate versions prior to 3.20.0 **Description** A flaw was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. **Recommendations** For logrotate versions prior to 3.20.0, update to version 3.20.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the state file to prevent unprivileged users from locking it.

**Name of the Vulnerable Software and Affected Versions** Undertow versions prior to 2.0.35.SP1 Undertow versions prior to 2.0.36.SP1 Undertow versions prior to 2.0.39.Final Undertow versions prior to 2.2.6.SP1 Undertow versions prior to 2.2.7.SP1 Undertow versions prior to 2.2.9.Final **Description** A flaw was found in Undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. **Recommendations** For versions prior to 2.0.35.SP1, update to version 2.0.35.SP1 or later. For versions prior to 2.0.36.SP1, update to version 2.0.36.SP1 or later. For versions prior to 2.0.39.Final, update to version 2.0.39.Final or later. For versions prior to 2.2.6.SP1, update to version 2.2.6.SP1 or later. For versions prior to 2.2.7.SP1, update to version 2.2.7.SP1 or later. For versions prior to 2.2.9.Final, update to version 2.2.9.Final or later.

**Name of the Vulnerable Software and Affected Versions** Undertow versions prior to 2.0.40.Final Undertow versions prior to 2.2.11.Final **Description** A flaw was found in Undertow, related to a potential security issue in flow control handling by the browser over HTTP/2, which may cause overhead or a denial of service in the server. The highest threat from this issue is availability. **Recommendations** For Undertow versions prior to 2.0.40.Final, update to version 2.0.40.Final or later. For Undertow versions prior to 2.2.11.Final, update to version 2.2.11.Final or later.

**Name of the Vulnerable Software and Affected Versions** FFmpeg versions prior to 4.4.2 FFmpeg versions prior to 5.0.1 **Description** An integer overflow issue was discovered in the `g729 parse()` function located in `libavcodec/g729 parser.c` when handling a specially crafted file. This issue can be triggered when processing such a file. **Recommendations** For versions prior to 4.4.2, update to version 4.4.2 or later. For versions prior to 5.0.1, update to version 5.0.1 or later. As a temporary workaround, consider avoiding the use of the `g729 parse()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** openstack-tripleo-heat-templates versions prior to 11.6.1 **Description** An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the `www authenticate uri` parameter in configuration files, which is visible to all end users. This would give sensitive information that may aid in additional system exploitation. **Recommendations** For versions prior to 11.6.1, update to version 11.6.1 or apply the patch available on the `master` branch to resolve the issue. As a temporary workaround, consider restricting access to configuration files that contain the `www authenticate uri` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PackageKit (affected versions not specified) **Description** The issue is related to insufficient protection of internal data in the PackageKit transaction interface. It allows an attacker to gain unauthorized access to protected information. A local user can measure the time it takes for certain methods to execute, determining whether a file owned by root or other users exists. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cockpit versions prior to 260 **Description** A flaw was found in the way Cockpit handles certificate verification performed by the System Security Services Daemon (SSSD), allowing client certificates to authenticate successfully regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this issue is to confidentiality. **Recommendations** For versions prior to 260, update to version 260 or later to resolve the issue. As a temporary workaround, consider restricting the use of client certificates until a patch is available.

**Name of the Vulnerable Software and Affected Versions** glibc (affected versions not specified) **Description** A flaw was found in glibc, where the `gaih inet` function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the `getaddrinfo` function is called and the hosts database in `/etc/nsswitch.conf` is configured with `SUCCESS=continue` or `SUCCESS=merge`. The issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17-rc1 **Description** A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause a kernel oops condition and thus a denial of service by issuing a `KVM XEN HVM SET ATTR` ioctl. **Recommendations** For Linux kernel versions prior to 5.17-rc1, update to version 5.17-rc1 or later to resolve the issue. As a temporary workaround, consider disabling dirty ring logging when no active vCPU context is present to minimize the risk of exploitation. Restrict access to the `KVM XEN HVM SET ATTR` ioctl to prevent unprivileged local attackers from causing a denial of service.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to v5.16-rc6 **Description** A flaw in the Linux kernel's eBPF verifier allows internal memory locations to be returned to userspace when handling internal data structures. This can be exploited by a local attacker with permissions to insert eBPF code into the kernel, potentially leaking internal kernel memory details and defeating some kernel exploit mitigations. **Recommendations** For Linux kernel versions prior to v5.16-rc6, update to version v5.16-rc6 or later to resolve the issue. As a temporary workaround, consider restricting the insertion of eBPF code to the kernel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** kexec-tools versions prior to 2.0.21-8 kexec-tools versions prior to 2.0.20-47 **Description** A flaw was found in the permissions of a log file created by kexec-tools, allowing a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. **Recommendations** For kexec-tools versions prior to 2.0.21-8, update to version 2.0.21-8 or later. For kexec-tools versions prior to 2.0.20-47, update to version 2.0.20-47 or later.

**Name of the Vulnerable Software and Affected Versions** KVM (affected versions not specified) **Description** A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason `SVM EXIT IOIO`. This issue results in a crash of the entire system or a potential guest-to-host escape scenario. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.