Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

Fedora Linux has long been a favorite operating system (OS) for developers looking for an innovative, free environment. Originally developed and now sponsored by Red Hat, the open-source Fedora Project has a little something for everyone with its Workstation, Server, Internet of Things (IoT), Virtual Machine (VM), and container-optimized CoreOS options. 

As a trusted open-source OS, attackers will seek to exploit any vulnerabilities to poison the supply stream. Knowing these 39 Fedora Linux 38 vulnerabilities can help you secure your applications more effectively.

What is Fedora Linux 38 (F38)?

Fedora Linux 38 (F38) is the most recent release of the popular open-source OS. With F38’s April 2023 release, the Fedora Project brought developers:

  • New Spins that showcase different desktop environments
  • A mobile device image for Pinephone, Pinephone Pro, Pinetab, and Librem devices
  • Desktop experience enhancements, including a new lock screen, “background apps” on the quick menu, and accessibility setting improvements
  • Sysadmin improvements with the lighter-weight default package manager microdnf

39 F38 Vulnerabilities You Should Know

Although only released in April 2023, 158 vulnerabilities in F38 had been identified by September. However, since not all of those vulnerabilities pose the same risk, this list is based on the following factors:

  • Listed in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerability (KEV) list
  • Exploit Prediction Scoring System (EPSS) rating above 1%, indicating the likelihood of exploitation in the next 30 days
  • Maximum base Common Vulnerability Scoring System (CVSS) score of 8.8 or above

The 39 F38 vulnerabilities you should be worried about are:

  1. CVE-2023-2136 (KEV): allowed a remote attacker who compromised the renderer process to perform a sandbox escape potentially via a crafted HTML page
  2. CVE-2023-3079 (KEV): allowed remote attacker to potentially exploit heap corruption via a crafted HTML page
  3. CVE-2023-34966 (EPSS 7.93%): allows an attacker to trigger an infinite loop by issuing a malformed RPC request that results in a denial of service (DoS) condition  
  4. CVE-2023-34967 (EPSS 7.55%): allows an attacker to trigger a process crash because multiple client connections share an RPC worker process, so affecting one shared RPC mdssvc worker process affects other clients this worker serves
  5. CVE-2023-38408 (EPSS 3.65%): allows attackers to execute code remotely if an agent is forwarded to an attacker-controlled system, related to an incomplete fix for CVE-2016-10009
  6. CVE-2023-24805: allows attackers with network access to a hosted print server to inject system commands that the running server can execute.
  7. CVE-2022-24834: allows attackers with specially crafted Lua scripts executing in Redis to trigger a heap overflow that results in heap corruption and potential remote code execution. 
  8. CVE-2023-34152: causes a remote code execution vulnerability in OpenBlob with –enable-pipes configured
  9. CVE-2023-36328: allows attackers to execute arbitrary code and cause a denial of service
  10. CVE-2023-2134: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  11. CVE-2023-2133: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  12. CVE-2023-2137: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  13. CVE-2023-36824: potentially triggers a heap overflow in Redis that could result in reading random heap memory, heap corruption, and potentially remote code execution
  14. CVE-2023-2724: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  15. CVE-2023-2461: allows remote attackers who convince users to engage in specific UI interactions potential to exploit heap corruption
  16. CVE-2023-2721: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  17. CVE-2023-2722: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  18. CVE-2023-2723: potentially allows remote attackers who compromise the renderer process to exploit heap corruption via a crafted HTML page
  19. CVE-2023-2724: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  20. CVE-2023-2725: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  21. CVE-2023-2726: potentially allows attackers that convince a user to install a malicious web app to bypass the install dialog via a crafted HTML page
  22. CVE-2023-3214: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  23. CVE-2023-3215: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  24. CVE-2023-3216: potentially allows remote attackers to exploit heap corruption via a crafted HTML page
  25. CVE-2023-3217: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  26. CVE-2023-4073: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  27. CVE-2023-4349: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  28. CVE-2023-4351: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  29. CVE-2023-4352: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  30. CVE-2023-4353: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  31. CVE-2023-4354: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  32. CVE-2023-4355: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  33. CVE-2023-4356: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  34. CVE-2023-4357: potentially allows remote attackers to bypass file access restrictions via a crafted HTML page
  35. CVE-2023-4358: potentially allows a remote attacker to exploit heap corruption via a crafted HTML page
  36. CVE-2023-4366: potentially allows attacks that convince a user to install a malicious extension to exploit heap corruption via a crafted HTML page
  37. CVE-2023-25358: allows attackers to execute code remotely
  38. CVE-2023-32004: causes a traversal path to bypass when verifying file permissions in an experimental permission model
  39. CVE-2023-32006: allows for policy mechanism bypass and requiring modules outside of the policy for a given module in an experimental policy mechanism feature

Qwiet.ai: Identifying Real Threats through Reachability

As attackers increasingly target Linux vulnerabilities, you need visibility into the ones that can become genuine threats. Remediating 158 new vulnerabilities over four months is overwhelming, especially as researchers find more CVEs and you build more code. Even keeping up with the 39 high-value vulnerabilities can be challenging, especially as that number can change from one day to the next. 

Qwiet AI’s preZero platform enables you to rapidly scan your code to identify vulnerabilities in source code and business logic. To help you prioritize your activities, you can focus on those vulnerabilities that attackers can actively exploit within the context of your application. Further, our Blacklight is the first threat intelligence feed designed to help developers prioritize fixes by focusing on the exploits, threat actors, ransomware, and botnets actively exploiting vulnerabilities in the wild.

Take our preZero platform for a spin for free to see for yourself how Qwiet AI can help you identify F38 security vulnerabilities.

 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share