Marco Benatto

**Name of the Vulnerable Software and Affected Versions** mpg123 (affected versions not specified) **Description** An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Console (affected versions not specified) **Description** A flaw was found in OpenShift Console, allowing a Server Side Request Forgery (SSRF) attack to occur if an attacker supplies all or part of a URL to the server to query. The server, being in a privileged network position, can reach exposed services that aren't readily available to clients due to network filtering. This can potentially disclose information or have other nefarious effects on the system. The `/api/dev-console/proxy/internet` endpoint allows authenticated users to perform arbitrary and fully controlled HTTP(s) requests, and the full response to these requests is returned by the endpoint. Although the endpoint's name suggests requests are only bound to the internet, no such checks are in place, allowing an authenticated user to ask the console to perform arbitrary HTTP requests from outside the cluster to a service inside the cluster. **Recommendations** As a temporary workaround, consider restricting access to the `/api/dev-console/proxy/internet` endpoint until a patch is available. Restrict access to the OpenShift Console to minimize the risk of exploitation. Avoid using the OpenShift Console to perform arbitrary HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat OpenStack platform (affected versions not specified) **Description** The issue arises from the etcd package in the Red Hat OpenStack platform using http://golang.org/x/net/http2 instead of the version provided by Red Hat Enterprise Linux. This results in an incomplete fix for a known problem, which should be addressed by updating the package at compile time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.

**Name of the Vulnerable Software and Affected Versions** Red Hat OpenStack platform (affected versions not specified) **Description** The issue arises from the etcd package in the Red Hat OpenStack platform using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions. This results in an incomplete fix for a previously identified issue, necessitating an update at compile time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Quay (affected versions not specified) Description: A flaw in Quay's mirror-registry allows a malicious actor with access to the `config.yaml` file to gain unauthorized access to Quay's database. The issue is related to the storage of critical information in plain-text in the `config.yaml` file of the Jinja template engine. This could enable a remote attacker to exploit the flaw and obtain unauthorized access to sensitive information. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Quay (affected versions not specified) Description: A flaw in Quay's storage of its database in plain text within the mirror-registry on Jinja's config.yaml file poses a risk. This issue could allow a malicious actor with access to this file to gain unauthorized access to Quay's Redis instance. The vulnerability is related to the unencrypted storage of critical information in the config.yaml file of the Jinja templating engine, which could enable a remote attacker to exploit the vulnerability and gain access to Quay's Redis instance. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Quay (affected versions not specified) Description: The issue is related to the storage of critical information in plain text, which can be exploited by a remote attacker to create session cookies and gain unauthorized access to the affected Quay instance. This flaw may affect all instances of Quay deployed using mirror-registry, as they may have the same secret key. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quay (affected versions not specified) **Description** A flaw was found in Quay when using mirror-registry to install it, where a default database secret key is used and stored in plain-text format in a configuration template file. This issue may lead to all instances of Quay deployed using mirror-registry having the same database secret key, allowing a malicious actor to access sensitive information from Quay's database. The vulnerability is related to the unencrypted storage of critical information, which can be exploited by a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSC (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability found in the AuthentIC driver of OpenSC packages. This vulnerability occurs during the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs. This manipulation can allow for compromised card management operations during enrolment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim (affected versions not specified) **Description** The issue is related to an out-of-bounds read flaw in Shim when it attempts to validate the SBAT information. This flaw may expose sensitive data during the system's boot phase. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim (affected versions not specified) **Description** A flaw was found in the MZ binary format in Shim, which is related to an out-of-bounds read. This issue may cause a crash or potentially expose sensitive data during the system's boot phase. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim (affected versions not specified) **Description** The issue is related to an out-of-bounds read flaw in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mock (affected versions not specified) **Description** The Mock software contains a vulnerability that could potentially be exploited for privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. The issue may allow less privileged users to define configuration tags that could be passed as parameters to mock during execution, potentially leading to the utilization of Jinja2 templates for remote privilege escalation and the execution of arbitrary code as the root user on the build server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the ` nvmet req complete()` function, causing kernel panic and a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel's NVMe driver, which may allow an unauthenticated malicious actor to send crafted TCP packages when using NVMe over TCP. This can lead to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. The issue is related to the function `nvmet tcp execute request()` in the module `drivers/nvme/target/tcp.c` of the NVMe driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel's NVMe driver, which may allow an unauthenticated malicious actor to send crafted TCP packages when using NVMe over TCP. This can lead to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim (affected versions not specified) **Description** The issue is related to a flaw in Shim when creating a new ESL variable. If Shim fails to create the new variable, it attempts to print an error message, but the number of parameters used by the logging function does not match the format string, leading to a crash under certain circumstances. This can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim versions for 32-bit systems **Description** The issue is related to a buffer overflow in the UEFI boot loader shim for 32-bit systems. This overflow occurs due to an addition operation involving a user-controlled value parsed from the PE binary used by shim. The value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw can cause memory corruption and may result in a crash or data integrity issues during the boot phase. **Recommendations** For Shim versions for 32-bit systems, consider disabling the vulnerable component until a patch is available to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shim versions prior to 15.8 **Description** A remote code execution vulnerability was found in Shim, a core component of secure boot in Linux. The vulnerability allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, and an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. The estimated number of potentially affected devices worldwide is in the millions. **Recommendations** Update to Shim version 15.8 or later to address the vulnerability. As a temporary workaround, consider restricting access to the HTTP boot support feature in Shim until a patch is available. Avoid using Shim with Secure Boot enabled until the issue is resolved. Update the UEFI Secure Boot DBX to include hashes of the vulnerable Shim software and sign the updated version with a valid key.