Identity Suite Virtual Appliance and CVE-2023-22809 Vulnerability
Article ID: 259203
Updated On:
Products
Issue/Introduction
Is Identity Suite Virtual Appliance 14.x affected by CVE-2023-22809 vulnerability?
Environment
Release : Identity Suite Virtual Appliance 14.x
Resolution
Yes, and this CVE-2023-22809 is addressed by applying the following in the following vApp OS patch
CP-OS-1404-20230201.tar.gpg
on top of Identity Suite Virtual Appliance 14.4 (Platform v2 - Virtual Appliance running on CentOS Stream 8 or Amazon Linux 2). We do not have fix for Identity Suite Virtual Appliance 14.3. Customer has to upgrade/migrate 14.3 environment to Virtual Appliance 14.4 (Platform v2 - Virtual Appliance running on CentOS Stream 8 or Amazon Linux 2) and then apply the OS patch.
Please login into Broadcom Support Portal and then access below link to download.
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111689&os=COS
If you don't have privilege to download the OS patch, please raise a Broadcom Support ticket.
Additional Information
https://cve.report/CVE-2023-22809
Certain versions of Sudo from Sudo Project contain the following vulnerability:
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
Feedback
