Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

Fedora Linux has long been a favorite operating system (OS) for developers looking for an innovative, free environment. Originally developed and now sponsored by Red Hat, the open-source Fedora Project has a little something for everyone with its Workstation, Server, Internet of Things (IoT), Virtual Machine (VM), and container-optimized CoreOS options. 

As a trusted open-source OS, attackers will seek to exploit any vulnerabilities to poison the supply stream. Knowing these 39 Fedora Linux 38 vulnerabilities can help you secure your applications more effectively.

What is Fedora Linux 38 (F38)?

Fedora Linux 38 (F38) is the most recent release of the popular open-source OS. With F38’s April 2023 release, the Fedora Project brought developers:

  • New Spins that showcase different desktop environments
  • A mobile device image for Pinephone, Pinephone Pro, Pinetab, and Librem devices
  • Desktop experience enhancements, including a new lock screen, “background apps” on the quick menu, and accessibility setting improvements
  • Sysadmin improvements with the lighter-weight default package manager microdnf

39 F38 Vulnerabilities You Should Know

Although only released in April 2023, 158 vulnerabilities in F38 had been identified by September. However, since not all of those vulnerabilities pose the same risk, this list is based on the following factors:

  • Listed in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerability (KEV) list
  • Exploit Prediction Scoring System (EPSS) rating above 1%, indicating the likelihood of exploitation in the next 30 days
  • Maximum base Common Vulnerability Scoring System (CVSS) score of 8.8 or above

The 39 F38 vulnerabilities you should be worried about are:

  1. CVE-2023-2136 (KEV): allowed a remote attacker who compromised the renderer process to perform a sandbox escape potentially via a crafted HTML page
  2. CVE-2023-3079 (KEV): allowed remote attacker to potentially exploit heap corruption via a crafted HTML page
  3. CVE-2023-34966 (EPSS 7.93%): allows an attacker to trigger an infinite loop by issuing a malformed RPC request that results in a denial of service (DoS) condition  
  4. CVE-2023-34967 (EPSS 7.55%): allows an attacker to trigger a process crash because multiple client connections share an RPC worker process, so affecting one shared RPC mdssvc worker process affects other clients this worker serves
  5. CVE-2023-38408 (EPSS 3.65%): allows attackers to execute code remotely if an agent is forwarded to an attacker-controlled system, related to an incomplete fix for CVE-2016-10009
  6. CVE-2023-24805: allows attackers with network access to a hosted print server to inject system commands that the running server can execute.
  7. CVE-2022-24834: allows attackers with specially crafted Lua scripts executing in Redis to trigger a heap overflow that results in heap corruption and potential remote code execution. 
  8. CVE-2023-34152: causes a remote code execution vulnerability in OpenBlob with –enable-pipes configured
  9. CVE-2023-36328: allows attackers to execute arbitrary code and cause a denial of service
  10. CVE-2023-2134: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  11. CVE-2023-2133: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  12. CVE-2023-2137: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  13. CVE-2023-36824: potentially triggers a heap overflow in Redis that could result in reading random heap memory, heap corruption, and potentially remote code execution
  14. CVE-2023-2724: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  15. CVE-2023-2461: allows remote attackers who convince users to engage in specific UI interactions potential to exploit heap corruption
  16. CVE-2023-2721: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  17. CVE-2023-2722: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  18. CVE-2023-2723: potentially allows remote attackers who compromise the renderer process to exploit heap corruption via a crafted HTML page
  19. CVE-2023-2724: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  20. CVE-2023-2725: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  21. CVE-2023-2726: potentially allows attackers that convince a user to install a malicious web app to bypass the install dialog via a crafted HTML page
  22. CVE-2023-3214: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  23. CVE-2023-3215: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  24. CVE-2023-3216: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  25. CVE-2023-3217: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  26. CVE-2023-4073: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  27. CVE-2023-4349: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  28. CVE-2023-4351: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  29. CVE-2023-4352: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  30. CVE-2023-4353: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  31. CVE-2023-4354: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  32. CVE-2023-4355: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  33. CVE-2023-4356: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  34. CVE-2023-4357: potentially allows remote attackers to bypass file access restrictions via a crafted HTML page
  35. CVE-2023-4358: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  36. CVE-2023-4366: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  37. CVE-2023-25358: allows attackers to execute code remotely
  38. CVE-2023-32004: causes a traversal path to bypass when verifying file permissions in an experimental permission model
  39. CVE-2023-32006: allows for policy mechanism bypass and requiring modules outside of the policy for a given module in an experimental policy mechanism feature

Qwiet.ai: Identifying Real Threats through Reachability

As attackers increasingly target Linux vulnerabilities, you need visibility into the ones that can become genuine threats. Remediating 158 new vulnerabilities over four months is overwhelming, especially as researchers find more CVEs and you build more code. Even keeping up with the 39 high-value vulnerabilities can be challenging, especially as that number can change from one day to the next. 

Qwiet AI’s preZero platform enables you to rapidly scan your code to identify vulnerabilities in source code and business logic. To help you prioritize your activities, you can focus on those vulnerabilities that attackers can actively exploit within the context of your application. Further, our Blacklight is the first threat intelligence feed designed to help developers prioritize fixes by focusing on the exploits, threat actors, ransomware, and botnets actively exploiting vulnerabilities in the wild.

Take our preZero platform for a spin for free to see for yourself how Qwiet AI can help you identify F38 security vulnerabilities.

 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

Cybersecurity
May 29, 2024 3 min to read

GitHub Copilot & Advanced Security : The Fox Guardin...

by Team Qwiet

GitHub Copilot, the AI-powered coding assistant, has emerged as a game-changer in the software development landscape. By harnessing the power of generative AI, Copilot promises to accelerate coding tasks, boost developer productivity, and even democratize coding by making it more accessible to newcomers. However, as with any transformative technology, there are caveats. In Copilot’s case, […]

READ MORE
AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE

Read Next

Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
AppSec Cybersecurity DevOps Engineering
August 3, 2023 4 min to read

What Would You Do With 10,000 Hours?

by Bruce Snell

I’m sure we’re all familiar with the idea made popular by Malcolm Gladwell’s book Outliers that it takes 10,000 hours to truly master something.  Based on the paper “The Role of Deliberate Practice in the Acquisition of Expert Performance“, the research data indicates that people who are experts in a field got to that level […]

READ MORE
Cybersecurity
September 14, 2023 4 min to read

TL;DR: CISA’s Secure-by-Design and Default

As the US federal government continues to inch toward implementing the various national cybersecurity executive orders and implementation strategies, the Cybersecurity and Infrastructure Security Agency (CISA) will be publishing more documents to help companies achieve the desired outcomes. To be more succinct, agencies are going to write a lot about actions developers must take to […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In