Tony Zeoli, Tony Hayes Security Vulnerabilities

ownCloud: GitHub Security Lab (GHSL) Vulnerability Report: SQLInjection in FileContentProvider.kt (GHSL-2022-059)

The GitHub Security Lab team has identified potential security vulnerabilities in Owncloud Android app. We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team. If.....

Raptor Technologies Volunteer Management Client-Side Security Controls (FIXED)

Prior to Mar 18, 2023, due to a reliance on client-side controls, authorized users of Raptor Technologies Volunteer Management SaaS products could effectively enumerate authorized users, and could modify restricted and unrestricted fields in the accounts of other users associated with the same...

Unbreakable Enterprise kernel security update

[5.15.0-100.96.32] - crypto: Report fips module name and version for aarch64 (Saeed Mirzamohammadi) [Orabug: 35225251] - uek-rpm: Enable RFC7919 config for aarch64 (Saeed Mirzamohammadi) [Orabug: 35225251] [5.15.0-100.96.31] - uek-rpm: Update linux-firmware dependency (Somasundaram...

Unbreakable Enterprise kernel-container security update

[4.14.35-2047.523.4.1] - mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags (Michal Hocko) [Orabug: 35164196] [4.14.35-2047.523.4] - rds: ib: Keep IB MRs on clean_list unless we are tearing down the pool (Hakon Bugge) [Orabug: 34987235] - rds: ib: Add FRWR related statistics...

Unbreakable Enterprise kernel security update

[4.14.35-2047.523.4.1] - mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags (Michal Hocko) [Orabug: 35164196] [4.14.35-2047.523.4] - rds: ib: Keep IB MRs on clean_list unless we are tearing down the pool (Hakon Bugge) [Orabug: 34987235] - rds: ib: Add FRWR related statistics...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.317.5.3] - udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192150] - selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192150] - net: Fix unwanted sign extension in netdev_stats_to_stats64()...

Unbreakable Enterprise kernel security update

[5.4.17-2136.317.5.3] - udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192150] - selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192150] - net: Fix unwanted sign extension in netdev_stats_to_stats64()...

What Tech Companies Should Look For in Cloud Security

The cloud's computing power and flexibility unlocks unprecedented speed and efficiency—a tech company's two best friends. But with that speed and efficiency comes new environments and touchpoints in an organization's footprint. That expanding attack surface brings along with it an expanding range.....

Denial of Service in graphql-go

Impact This is a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could...

Unbreakable Enterprise kernel-container security update

[4.14.35-2047.522.3] - ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (Sasha Levin) [Orabug: 34653896] {CVE-2022-3303} - net/rds: Fill in rds_exthdr_size gaps (Gerd Rausch) [Orabug: 34979172] - net/rds: Trigger rds_send_hs_ping() more than once (Gerd Rausch) [Orabug: 34607787] - Revert 'RDS:...

Unbreakable Enterprise kernel security update

[4.14.35-2047.522.3] - ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (Sasha Levin) [Orabug: 34653896] {CVE-2022-3303} - net/rds: Fill in rds_exthdr_size gaps (Gerd Rausch) [Orabug: 34979172] - net/rds: Trigger rds_send_hs_ping() more than once (Gerd Rausch) [Orabug: 34607787] - Revert 'RDS:...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.316.7] - runtime revert of virtio_net: Stripe queue affinities across cores. (Konrad Rzeszutek Wilk) [Orabug: 35001045] [5.4.17-2136.316.6] - block: Change the granularity of io ticks from ms to ns (Gulam Mohamed) [Orabug: 34780807] - powercap: intel_rapl: support new layout of...

Unbreakable Enterprise kernel security update

[5.4.17-2136.316.7] - runtime revert of virtio_net: Stripe queue affinities across cores. (Konrad Rzeszutek Wilk) [Orabug: 35001045] [5.4.17-2136.316.6] - block: Change the granularity of io ticks from ms to ns (Gulam Mohamed) [Orabug: 34780807] - powercap: intel_rapl: support new layout of...

New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a...

Prototype Pollution in cookiex/deep

The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto...

OSINT your OT suppliers

There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online? We see this particularly in the industrial controls sector as its cyber security maturity is...

ownCloud: GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060)

The GitHub Security Lab team has identified potential security vulnerabilities in Owncloud Android app. We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team. If.....

Unbreakable Enterprise kernel-container security update

[5.15.0-6.80.3.1] - Revert 'rds: ib: Enable FC by default' (Hakon Bugge) [Orabug: 34964359] [5.15.0-6.80.3] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888471] - rds: ib: Fix leaked MRs during kexec (Hakon Bugge) [Orabug: 34892082] - uek-rpm: Add ptp_kvm.ko to core...

Unbreakable Enterprise kernel security update

[5.15.0-6.80.3.1] - Revert 'rds: ib: Enable FC by default' (Hakon Bugge) [Orabug: 34964359] [5.15.0-6.80.3] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888471] - rds: ib: Fix leaked MRs during kexec (Hakon Bugge) [Orabug: 34892082] - uek-rpm: Add ptp_kvm.ko to core...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.315.5] - Revert 'xfs: fix use-after-free on CIL context on shutdown' (Sherry Yang) [Orabug: 34917369] [5.4.17-2136.315.4] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888473] - uek-rpm: Add ptp_kvm.ko to nano rpm (Somasundaram Krishnasamy) [Orabug:...

Unbreakable Enterprise kernel-container security update

[4.14.35-2047.521.4.el7] - tcp: Tunables for TCP delayed ack (min and max) timers (Venkat Venkatsubra) [Orabug: 34883100] [4.14.35-2047.521.3.el7] - Revert 'random: use expired timer rather than wq for mixing fast pool' (Saeed Mirzamohammadi) [Orabug: 34918228] [4.14.35-2047.521.2.el7] -...

Unbreakable Enterprise kernel security update

[4.14.35-2047.521.4] - tcp: Tunables for TCP delayed ack (min and max) timers (Venkat Venkatsubra) [Orabug: 34883100] [4.14.35-2047.521.3] - Revert 'random: use expired timer rather than wq for mixing fast pool' (Saeed Mirzamohammadi) [Orabug: 34918228] [4.14.35-2047.521.2] - RDS/IB: Fix the...

Unbreakable Enterprise kernel security update

[5.4.17-2136.315.5] - Revert 'xfs: Lower CIL flush limit for large logs' (Sherry Yang) [Orabug: 34917369] - Revert 'xfs: Throttle commits on delayed background CIL push' (Sherry Yang) [Orabug: 34917369] - Revert 'xfs: fix use-after-free on CIL context on shutdown' (Sherry Yang) [Orabug:...

tony-sewing-machine.com.tw Cross Site Scripting vulnerability OBB-2922608

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Cengage LTI Session Management Leakage

Prior to December 10, 2022, Cengage, an education technology provider in use in many higher education environments primarily in the United States, had two issues in the way it handled session management over its Learning Tools Integration (LTI) pipeline. The first issue involves leaving...

Google Golang Denial of Service Vulnerability

Google Golang is a statically strongly typed, compiled language from Google, Inc. Go's syntax is close to that of C, but differs for variable declarations. go supports garbage collection features. go's parallel model is based on Tony Hall's Communication Sequential Process (CSP). other languages...

Prototype Pollution

@cookiex/deep is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as proto , constructor and prototype via the assigner...

Code injection

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the proto...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.314.6.2.el7] - proc: proc_skip_spaces() shouldn't think it is working on C strings (Linus Torvalds) [Orabug: 34883034] {CVE-2022-4378} - proc: avoid integer type confusion in get_proc_long (Linus Torvalds) [Orabug: 34883034] {CVE-2022-4378} [5.4.17-2136.314.6.1.el7] - RDMA/uverbs:...

Unbreakable Enterprise kernel security update

[5.4.17-2136.314.6.2] - proc: proc_skip_spaces() shouldn't think it is working on C strings (Linus Torvalds) [Orabug: 34883034] {CVE-2022-4378} - proc: avoid integer type confusion in get_proc_long (Linus Torvalds) [Orabug: 34883034] {CVE-2022-4378} [5.4.17-2136.314.6.1] - RDMA/uverbs: Move...

Unbreakable Enterprise kernel-container security update

[5.15.0-5.76.5.1] - proc: proc_skip_spaces() shouldn't think it is working on C strings (Linus Torvalds) [Orabug: 34883037] {CVE-2022-4378} - proc: avoid integer type confusion in get_proc_long (Linus Torvalds) [Orabug: 34883037] {CVE-2022-4378} [5.15.0-5.76.5] - KVM: x86: Use SRCU to protect...

Unbreakable Enterprise kernel security update

[5.15.0-5.76.5.1] - proc: proc_skip_spaces() shouldn't think it is working on C strings (Linus Torvalds) [Orabug: 34883037] {CVE-2022-4378} - proc: avoid integer type confusion in get_proc_long (Linus Torvalds) [Orabug: 34883037] {CVE-2022-4378} [5.15.0-5.76.5] - KVM: x86: Use SRCU to protect...

CVE-2021-23442

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the proto...

CVE-2021-23442

This affects all versions of package @cookiex/deep. The global proto object can be polluted using the proto...

Unbreakable Enterprise kernel security update

[5.15.0-4.70.5.2] - Revert 'sched: Remove the limitation of WF_ON_CPU on wakelist if wakee cpu is idle' (Samasth Norway Ananda) [Orabug: 34783367] [5.15.0-4.70.5.1] - NFSv4: Fixes for nfs4_inode_return_delegation() (Trond Myklebust) [Orabug: 34751176] [5.15.0-4.70.5] - uek: kabi: update kABI...

Unbreakable Enterprise kernel-container security update

[5.15.0-4.70.5.2] - Revert 'sched: Remove the limitation of WF_ON_CPU on wakelist if wakee cpu is idle' (Samasth Norway Ananda) [Orabug: 34783367] [5.15.0-4.70.5.1] - NFSv4: Fixes for nfs4_inode_return_delegation() (Trond Myklebust) [Orabug: 34751176] [5.15.0-4.70.5] - uek: kabi: update kABI...

Unbreakable Enterprise kernel security update

[4.14.35-2047.519.2.1] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...

Unbreakable Enterprise kernel-container security update

[4.14.35-2047.519.2.1.el7] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...

Unbreakable Enterprise kernel security update

[5.15.0-3.60.5.1] - fs: remove no_llseek (Jason A. Donenfeld) [Orabug: 34721465] - vfio: do not set FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - dma-buf: remove useless FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - fs: do not compare against ->llseek (Jason A....

Unbreakable Enterprise kernel-container security update

[5.15.0-3.60.5.1.el8] - fs: remove no_llseek (Jason A. Donenfeld) [Orabug: 34721465] - vfio: do not set FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - dma-buf: remove useless FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - fs: do not compare against ->llseek (Jason A....

Unbreakable Enterprise kernel security update

[5.4.17-2136.312.3.4] - Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845] [5.4.17-2136.312.3.3] cpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] - cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.312.3.4] - Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845] [5.4.17-2136.312.3.3] cpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] - cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty...

Unbreakable Enterprise kernel-container security update

[5.15.0-2.52.3.el8] - posix-cpu-timers: Cleanup CPU timers before freeing them during exec (Thadeu Lima de Souza Cascardo) [Orabug: 34495548] {CVE-2022-2585} - fix race between exit_itimers() and /proc/pid/timers (Oleg Nesterov) [Orabug: 34495548] - rds: ib: Add preemption control when using...

Unbreakable Enterprise kernel security update

[5.15.0-2.52.3] - posix-cpu-timers: Cleanup CPU timers before freeing them during exec (Thadeu Lima de Souza Cascardo) [Orabug: 34495548] {CVE-2022-2585} - fix race between exit_itimers() and /proc/pid/timers (Oleg Nesterov) [Orabug: 34495548] - rds: ib: Add preemption control when using...

Are you getting the most out of your security platform investment?

In the last few years, most organizations had to accelerate their digital transformation to continue operations during the pandemic. However, as more software, applications, and data architectures were added to the technology stack, the number of tools implemented to secure these assets became...

Unbreakable Enterprise kernel-container security update

r[ 5.4.17-2136.310.7] - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) [Orabug: 34480880] {CVE-2022-2588} - x86/spec_ctrl: limit IBRS_FW to retpoline only (Ankur Arora) [Orabug: 34450896] - x86/bugs: display dynamic retbleed state (Ankur Arora) ...

Unbreakable Enterprise kernel security update

[5.4.17-2136.310.7] - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) [Orabug: 34480880] {CVE-2022-2588} - x86/spec_ctrl: limit IBRS_FW to retpoline only (Ankur Arora) [Orabug: 34450896] - x86/bugs: display dynamic retbleed state (Ankur Arora) [Orabug:...

Unbreakable Enterprise kernel security update

[5.15.0-1.43.4.1] - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) [Orabug: 34460936] {CVE-2022-2588} [5.15.0-1.43.4] - Revert selftests/bpf: add tests verifying unprivileged bpf behaviour (Alan Maguire) [Orabug: 34399286] - Revert selftests/bpf: Add...

Unbreakable Enterprise kernel security update

[4.14.35-2047.516.1.1] - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) [Orabug: 34460938] {CVE-2022-2588} [4.14.35-2047.516.1] - KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() (Vitaly Kuznetsov) [Orabug:...

Unbreakable Enterprise kernel-container security update

[5.15.0-1.43.4.1] - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) [Orabug: 34460936] {CVE-2022-2588} [5.15.0-1.43.4] - Revert selftests/bpf: add tests verifying unprivileged bpf behaviour (Alan Maguire) [Orabug: 34399286] - Revert selftests/bpf: Add...