Google Chrome Heap Buffer Overflow Vulnerability
Identifier: CVE-2022-4135
Exploit or POC: Yes (Actively Being Exploited)
Update: https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
Description: CVE-2022-4135 contains a heap overflow vulnerability identified within the GPU of Google Chrome, preceding version 107.0.5304.121. This vulnerability will allow an attacker to achieve sandbox escape functionality via a specially crafted HTML page. Successfully exploiting this vulnerability requires an attacker to have previously compromised the renderer process within the software.
Mitigation recommendation: Patching is currently the only method of mitigation
RedLegg Action: None at this time.
Quarkus Remote Code Execution (RCE) Vulnerability
Identifier: CVE-2022-4116
Exploit or POC: No
Update: https://quarkus.io/blog/quarkus-2-14-2-final-released/
Description: CVE-2022-4116 allows for drive-by local host attacks provoking remote code execution. This vulnerability lies within the Dev UI Config Editor while the machine is running. Successful exploitation requires an attacker to entice a targeted user into visiting a specially crafted webpage while the Dev UI is running. Please note: a fix for the Red Hat Build of Quarkus 2.7 has not been published to date. See vendor resources for updates. Red Hat Security CVE-2022-4116
Mitigation recommendation: Mitigation steps listed here: https://quarkus.io/blog/quarkus-2-14-2-final-released/
RedLegg Action: None at this time.