CVE-2021-3714: A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local…

CVE-2021-3714 [MEDIUM] CWE-200 kernel: Remote Page Deduplication Attacks kernel: Remote Page Deduplication Attacks A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. Statement: This issue affects the versions of the Linux

CVE-2021-3714 [MEDIUM] CVE-2021-3714: linux - A flaw was found in the Linux kernels memory deduplication mechanism. Previous w... A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2021-3714 [HIGH] CWE-200 GHSA-p9ch-h5p3-4xcq: A flaw was found in the Linux kernels memory deduplication mechanism A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.

CVE-2021-3714 [MEDIUM] CVE-2021-3714: A flaw was found in the Linux kernels memory deduplication mechanism A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged.

CVE-2021-41824 [HIGH] CWE-1236 CSV Injection Vulnerability CSV Injection Vulnerability ### Impact In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel. If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update. ### Patches This has been patched in Craft 3.7.14. ### References * https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28 * https://twitter.com/craftcmsupdates/status/1442928690145366018 ### For more information If you have any questions or comments about this advisory, email us at [email protected] Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli

Remote Memory-Deduplication Attacks Remote Memory-Deduplication Attacks Martin Schwarzl Graz University of Technology Erik Kraft Graz University of Technology Moritz Lipp Graz University of Technology Daniel Gruss Graz University of Technology Martin Schwarzl Graz University of Technology [email protected] Erik Kraft Graz University of Technology [email protected] Moritz Lipp Graz University of Technology [email protected] Daniel Gruss Graz University of Technology [email protected] ## Abstract Memory utilization can be reduced by merging identical memory blocks into copy-on-write mappings. Previous work showed that this so-called memory deduplication can be exploited in local attacks to break ASLR, spy on other programs, and determine the presence of data, website images. A