Go SSH silently trusts revoked host keys, NGINX rewrite bypass, and an Oracle DB takeover path

A vulnerability in NGINX's rewrite module (ngx_http_rewrite_module) could let an attacker abuse rewrite rules to bypass access controls or trigger unexpected behavior. Details are sparse, but the CVSS 8.1 and the fact that this sits in the rewrite module, which almost every NGINX config uses, makes it worth patching quickly. Not yet exploited in the wild.

Included because

internet-facing; common product; CVSS 8.1; rewrite module is ubiquitous

Affected estate

Azure Linux 3.0 systems running nginx 1.28.3-1

How to check

Run `nginx -v` or `tdnf list installed nginx` and confirm the installed version.

Action

Run `tdnf update nginx` and restart the service.

Urgency

Patch within 24 hours

Why it matters

The rewrite module is enabled in nearly every NGINX deployment, so the blast radius is wide if this is weaponized.

Source

Azure Linux 3.0 advisory

A missing check for zero VCPI (Virtual Channel Payload Identifier) in the kernel's DisplayPort MST (Multi-Stream Transport) code can cause a crash or memory corruption. Despite the CVSS 9.8, this is a local kernel bug in the display subsystem. You'd need a malicious or buggy MST display device connected to trigger it. If you're running headless Azure Linux VMs with no display hardware, the real-world risk is low.

Included because

CVSS 9.8; kernel-level bug; mitigated by hardware requirement on most cloud workloads

Affected estate

Azure Linux 3.0 systems running kernel 6.6.139.1-1

How to check

Run `uname -r` and confirm the running kernel version.

Action

Run `tdnf update kernel`, then schedule a reboot.

Urgency

Patch this week

Why it matters

On systems with DisplayPort MST hardware, this could cause kernel panics or potential code execution, but headless servers are not practically exposed.

Source

Azure Linux 3.0 advisory

Archive::Tar for Perl (versions before 3.08) follows symlinks during extraction without validating the target path. An attacker who crafts a malicious tar archive can write or overwrite files anywhere on the filesystem that the extracting process can reach. If any of your automation or CI pipelines extract untrusted tar files using Perl's Archive::Tar, this is a path traversal straight to arbitrary file write.

Included because

unauthenticated; CVSS 9.1; common scripting language; symlink attacks are well-understood and easy to exploit

Affected estate

Azure Linux 3.0 systems with perl 5.38.2-509 installed; any system using Archive::Tar < 3.08

How to check

Run `perl -MArchive::Tar -e 'print $Archive::Tar::VERSION'` to check the module version.

Action

Run `tdnf update perl` or install Archive::Tar >= 3.08 from CPAN.

Urgency

Patch within 24 hours

Why it matters

Arbitrary file write via symlink traversal can lead to full system compromise if archives from untrusted sources are extracted.

Source

Azure Linux 3.0 advisory

An unauthenticated attacker with network access via TLS can potentially take over the Oracle Database Net Service component, and successful exploitation can pivot to affect other products (scope change). The catch: it's rated high complexity, meaning it's hard to pull off. Still, a CVSS 9.0 with no auth required on a network-facing database listener is not something to sit on.

Included because

unauthenticated; network-accessible via TLS; CVSS 9.0 with scope change; database listeners are commonly internet or network exposed

Affected estate

Oracle Database Server versions 23.4.0 through 23.26.2, specifically the Net Service (listener) component

How to check

Query `SELECT VERSION_FULL FROM V$INSTANCE;` or run `lsnrctl version` to confirm the database and listener versions.

Action

Apply the latest Oracle Critical Patch Update for Database Server 23.x from Oracle Support.

Urgency

Patch within 24 hours

Why it matters

Unauthenticated full takeover of the Net Service with scope change means an attacker could pivot from the listener to other components or services.

Source

Oracle Critical Patch Update advisory