The Cybersecurity & Infrastructure Security Agency (CISA) added seven new Linux vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Friday based on evidence of active exploitation, some of which have been known for a decade:
Several important security issues have been found in the Linux kernel, including a slab-out-of-bound read problem (CVE-2023-1380), a heap out-of-bounds read/write vulnerability in the traffic control (QoS) subsystem (CVE-2023-2248), and an out-of-bounds write issue in the kernel before 6.2.13 (CVE-2023-31436). The vulnerabilities have received a National Vulnerability Database (NVD) rating of “high-severity” due to their high confidentiality, integrity and availability impact.
Several important security issues were identified in the runC Open Container Project. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories (CVE-2023-27561), and incorrectly handled /proc and /sys mounts inside a container (CVE-2023-28642).
Two important ReDoS issues have been found in the Ruby programming language; one in the URI component (CVE-2023-28755) and one in the Time component (CVE-2023-28756). It was discovered that the URI parser and the Time parser mishandle invalid URLs that have specific characters, causing an increase in execution time for parsing strings to URI and Time objects.
It was discovered that Open vSwitch could be made to stop forwarding packets if it received specially crafted network traffic (CVE-2023-1668). Due to its high availability impact and the low attack complexity required to exploit the bug, this vulnerability has received a National Vulnerability Database (NVD) base score of 8.2 out of 10 (“High” severity).
Several important security issues were discovered in the Linux kernel (CVE-2023-0386, CVE-2023-1829, CVE-2022-2590 and CVE-2022-4095). These bugs have been classified as “high-severity” by the National Vulnerability Database (NVD) due to their high confidentiality, integrity and availability impact.
Several high-severity vulnerabilities have been found in the WebKitGTK web engine, including a use after free issue that may have been actively exploited (CVE-2023-28205).
