Known Issues
| Bug ID | Title | Description |
|---|---|---|
| 57036 | OS Package Vulnerabilities Scheduled for Future Patches | CVEs identified before 18th June: CVE-2025-23419, CVE-2022-41742, CVE-2024-7347, CVE-2022-41741 (nginx) These NGINX-related vulnerabilities require specific configurations, such as multiple server blocks using client certificate authentication (CVE-2025-23419), enabling HTTP/2 (CVE-2022-41742), the use of the mp4 directive (CVE-2024-7347), or the presence of Go-based components (CVE-2022-41741). In the Accops HySecure environment, none of these conditions are met. As a result, these CVEs are not exploitable. This fix is deferred due to the impact on product functionality. CVE-2025-4598 (systemd) This vulnerability in systemd-coredump allows local information disclosure due to a race condition during core dump handling. In the Accops HySecure environment, core dump storage is disabled, and there are no unprivileged users, making exploitation unlikely. This fix is deferred due to the impact on product functionality. CVE-2025-5283(Firefox/libvpx) CVE-2025-5283 lies in the libvpx package's handling of video bitstreams, where specially crafted input can trigger memory corruption, potentially leading to denial-of-service or code execution in applications such as browsers. While libvpx is installed on the HySecure server, it is not used for video playback and is not exposed to external input. Since HySecure does not process video content, the vulnerability poses low risk. The package will be updated in the next patch as a precaution. CVE-2025-47947(mod_security) Although HySecure utilizes the mod_security module, the vulnerable sanitiseMatchedBytes rule is neither present nor active in its configuration. Additionally, HySecure does not perform JSON filtering through ModSecurity. Hence, CVE-2025-47947 is not applicable in the HySecure environment. CVE-2025-5702, CVE-2025-4802(glibc) Though the glibc version is affected, HySecure has no unprivileged users or statically linked SUID binaries. All SUID binaries are dynamically linked, and non-root users have no shell access. Hence, these CVEs are not exploitable in HySecure. The glibc package will be updated in the next patch. CVEs identified after 18th June: CVE-2022-41741, CVE-2022-41742, CVE-2024-12718, CVE-2024-7347, CVE-2025-23419, CVE-2025-25724, CVE-2025-32462, CVE-2025-3576, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-4598, CVE-2025-47268, CVE-2025-6020 The CVEs listed above require either local access, specific configurations, or enabled features that are not present or exposed in HySecure. Hence, they are not exploitable in the current environment. These will be addressed in the upcoming patch cycle. |
| 54198 | Upgrade Entry Missing for Active and Standby Nodes | After applying this release, the HySecure database may not have the upgrade entries for the Active and Standby nodes corresponding to this hotfix. Although the Admin log, Upgrade log, and upgrade entry in files will be available. |
| 46950 | World Writable Files and Directories exist on HySecure | There exist a few files and directories on the server with world-writable permissions (rw-rw-rw-). This is a low-risk, low-severity issue that requires additional evaluation and validation before modifying permissions to prevent any impact on functionality. However, the following compensating controls are in place to reduce risk exposure: No unprivileged users exist on the server who could exploit these permissions. Access to the server is restricted to authorized administrators only. |