Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs. Understanding and mitigating the vulnerabilities in the Linux kernel is essential in safeguarding you...
Fourteen important vulnerabilities have been discovered in Chromium, including multiple use-after-free and type confusion bugs. With a low attack complexity and a high confidentiality, integrity and availability impact, these issues have received a National Vulnerability Database severity rating of “High”.
Two important security bugs have been found in Ruby. It was discovered that an HTTP response splitting flaw exists in the Ruby cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 (CVE-2021-3362). It was also discovered that a buffer over-read occurs in String-to-Float conversion in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2 (CVE-2022-28739). With a low attack complexity and a high confidentiality and integrity impact, these bugs have received a National Vulnerability Database severity rating of “High”.
An Improper Validation of Array Index vulnerability (CVE-2023-0950) was discovered in the spreadsheet component of The Document Foundation LibreOffice 7.4 versions prior to 7.4.6 and 7.5 versions prior to 7.5.1. With a low attack complexity, no privileges or user interaction required to exploit, and a high confidentiality, integrity and availability impact, this bug has received a National Vulnerability Database (NVD) severity rating of “Critical”.
Multiple important denial of service (DoS) vulnerabilities (CVE-2023-0464 and CVE-2023-2650) have been discovered in the OpenSSL Secure Sockets Layer toolkit. These bugs are easy to exploit and have a high availability impact.
Several significant security issues have been found in the Linux kernel, including a use-after-free vulnerability in the netfilter subsystem (CVE-2023-32233), an an out-of-bounds write vulnerability in the scheduler implementation (CVE-2023-31436), and improper data buffer size validation in the Broadcom FullMAC USB WiFi driver (CVE-2023-1380).
Several buffer overflow vulnerabilities have been identified in ntfs-3g. With a low attack complexity and a high confidentiality, integrity and availability impact, these vulnerabilities have received a National Vulnerability Database (NVD) severity rating of “High”.
It was discovered that Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1 incorrectly handled uploading multiple files using one form field (CVE-2023-31047). With a low attack complexity, no privileges required to exploit, and a high confidentiality, integrity and availability impact, this vulnerability has been rated as “Critical” by the National Vulnerability Database (NVD).
Several important security issues have been found in the Linux kernel, including a slab-out-of-bound read problem (CVE-2023-1380), a heap out-of-bounds read/write vulnerability in the traffic control (QoS) subsystem (CVE-2023-2248), and an out-of-bounds write issue in the kernel before 6.2.13 (CVE-2023-31436). The vulnerabilities have received a National Vulnerability Database (NVD) rating of “high-severity” due to their high confidentiality, integrity and availability impact.
Several important security issues were identified in the runC Open Container Project. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories (CVE-2023-27561), and incorrectly handled /proc and /sys mounts inside a container (CVE-2023-28642).
The Cybersecurity & Infrastructure Security Agency (CISA) added seven new Linux vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Friday based on evidence of active exploitation, some of which have been known for a decade:
Two important ReDoS issues have been found in the Ruby programming language; one in the URI component (CVE-2023-28755) and one in the Time component (CVE-2023-28756). It was discovered that the URI parser and the Time parser mishandle invalid URLs that have specific characters, causing an increase in execution time for parsing strings to URI and Time objects.
It was discovered that Open vSwitch could be made to stop forwarding packets if it received specially crafted network traffic (CVE-2023-1668). Due to its high availability impact and the low attack complexity required to exploit the bug, this vulnerability has received a National Vulnerability Database (NVD) base score of 8.2 out of 10 (“High” severity).
Several important security issues were discovered in the Linux kernel (CVE-2023-0386, CVE-2023-1829, CVE-2022-2590 and CVE-2022-4095). These bugs have been classified as “high-severity” by the National Vulnerability Database (NVD) due to their high confidentiality, integrity and availability impact.
Several high-severity vulnerabilities have been found in the WebKitGTK web engine, including a use after free issue that may have been actively exploited (CVE-2023-28205).
Git 2.40.1 has been released to address three new security vulnerabilities being disclosed, which have been classified as “high-severity” by the National Vulnerability Database (NVD) due to their high confidentiality, integrity and availability impact, and the low attack complexity and lack of privileges required to exploit them. Due to these security fixes, updates for prior stable Git series are also availble with v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9.
Several remotely exploitable request smuggling, memory exhaustion, and HTTP response splitting vulnerabilities have been discovered in the Netty Java NIO client/server socket framework.
A use-after-free vulnerability (CVE-2023-1829) has been discovered in the Linux Kernel traffic control index filter (tcindex). It was discovered that the tcindex_delete function does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure, which can later lead to double freeing the structure.