Chromium, Linux Kernel, Bind: High Severity Issues And Fixes

Jul 07, 2023 •

2 - 3 min read

Attention Linux Security Enthusiasts! Guess what? Three important security issues were discovered in Chromium, and they're not something to ignore! These vulnerabilities could let remote attackers exploit heap corruption via a crafted HTML page, threatening the confidentiality, integrity and availability of your critical systems. Due to their low attack complexity and high impact, these bugs have earned a "High" severity rating by the National Vulnerability Database. Don't delay - update your systems now to stay safe and secure!

But wait, there's more! We uncover other significant discoveries and fixes, including several denial of service (DoS), code execution, and information disclosure vulnerabilities fixed in the Linux kernel, and multiple remotely exploitable DoS bugs in the Bind Internet Domain Name Server that distros continue to release advisory updates for. Keep reading to learn more about these issues and how to protect against them.

Yours in Open Source,

Brittany Signature 150 Esm W150

Chromium

The Discovery

Three important vulnerabilities were discovered in Chromium, including a type confusion in V8 (CVE-2023-3420) and use after frees in Media (CVE-2023-3421) and Guest View (CVE-2023-3422). With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 8.8 out of 10 (“High” severity).

The Impact

These bugs could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

The Fix

An update is available for Chromium that fixes these severe issues. We strongly recommend that all impacted users apply the Chromium updates issued by their distro(s) now to protect against attacks leading to potential system downtime and compromise.

Your Related Advisories:

[distro_list_1]

Linux Kernel

The Discovery

Several security issues were found in the Linux kernel, including an out-of-bounds write vulnerability in the Flower classifier implementation in the kernel (CVE-2023-35788). It was also discovered that for some Intel processors the INVLPG instruction implementation did not properly flush global TLB entries when PCIDs were enabled. With a low attack complexity and a high confidentiality, integrity and availability impact, these flaws have received a National Vulnerability Database severity rating of 7.8 out of 10 (“High” severity).

The Impact

These problems could lead to system crashes resulting in denial of service (DoS), the execution of arbitrary code, or the exposure of sensitive information (kernel memory).

The Fix

Important updates for the kernel that mitigate these issues have been released. We urge all impacted users to apply the Linux kernel updates issued by their distro(s) immediately to protect the confidentiality, integrity and availability of their systems and your sensitive data.

Your Related Advisories:

[distro_list_2]

Bind

The Discovery

Distros continue to release updates for multiple remotely exploitable security issues found in the Bind Internet Domain Name Server. It was discovered that Bind incorrectly handled the cache size limit (CVE-2023-2828) and the recursive-clients quota (CVE-2023-2911). With a low attack complexity and a high availability impact, these bugs have received a National Vulnerability Database severity rating of “High”.

The Impact

A remote attacker could possibly use these issues to cause a denial of service (DoS) by consuming memory or causing Bind to crash.

The Fix

An important Bind security update that fixes these DoS bugs has been released. We strongly recommend that all impacted users apply the Bind updates issued by their distro(s) as soon as possible to prevent system downtime and potential compromise.

Your Related Advisories:

[distro_list_3]