Skip to content

Commit

Permalink
docs: 9-15-24 palette cve updates (#3930)
Browse files Browse the repository at this point in the history
* 9-15-24 palette cve updates

* ci: auto-formatting prettier issues

* chore: fixed symbol issues

* chore: fix redirect

* chore: vale fixes

---------

Co-authored-by: frederickjoi <[email protected]>
Co-authored-by: Karl Cardenas <[email protected]>
(cherry picked from commit 8fe8d40)
  • Loading branch information
frederickjoi committed Sep 17, 2024
1 parent 0436e06 commit 5a8f806
Show file tree
Hide file tree
Showing 27 changed files with 819 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ hide_table_of_contents: false
sidebar_position: 30
---

An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on a running Kubernetes cluster.
An Add-on Pack defines deployment specifics of a Kubernetes application to be installed on an active Kubernetes cluster.
Palette provides several Add-on packs out of the box for various layers of the Kubernetes stack. For example:

- **Logging** - elastic search, fluentd
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ tags: ["security", "cve"]

## NIST CVE Summary

In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in
In SQLite 3.27.2, using fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in
fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.

## Our Official Summary
Expand Down
46 changes: 46 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2022-28357.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
sidebar_label: "CVE-2022-28357"
title: "CVE-2022-28357"
description: "Lifecycle of CVE-2022-28357"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2022-28357](https://nvd.nist.gov/vuln/detail/CVE-2022-28357)

## Last Update

09/15/2024

## NIST CVE Summary

NATS `nats-server` 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action
from a management account.

## Our Official Summary

A vulnerability was found in NATS nats-server up to 2.7.4. The product uses external input to construct a pathname that
is intended to identify a file or directory that is located underneath a restricted parent directory, but the product
does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location
that is outside of the restricted directory. Upgrade of the nats server is needed to fix this vulnerability.

## CVE Severity

[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
43 changes: 43 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2022-28948.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
sidebar_label: "CVE-2022-28948"
title: "CVE-2022-28948"
description: "Lifecycle of CVE-2022-28948"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948)

## Last Update

09/15/2024

## NIST CVE Summary

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid
input.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
45 changes: 45 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2022-41724.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
sidebar_label: "CVE-2022-41724"
title: "CVE-2022-41724"
description: "Lifecycle of CVE-2022-41724"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724)

## Last Update

09/15/2024

## NIST CVE Summary

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records
which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3
clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil
value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
59 changes: 59 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2022-41725.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
sidebar_label: "CVE-2022-41725"
title: "CVE-2022-41725"
description: "Lifecycle of CVE-2022-41725"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)

## Last Update

09/15/2024

## NIST CVE Summary

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form
parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also
affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and
PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved
for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The
unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector
on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry
overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition,
ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a
large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and
should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware
that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary
file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation
states, "If stored on disk, the File's underlying concrete type will be an \*os.File.". This is no longer the case when
a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of
using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct.
Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk
consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,12 @@ HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16,

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.
This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue
lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This
can lead to slow execution times and potential denial of service attacks on systems using affected Python versions.
Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling
user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability.
Python version needs to be upgraded in the images reported.

## CVE Severity

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,18 @@ tags: ["security", "cve"]

## Last Update

9/13/24
9/15/24

## NIST CVE Summary

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.
This CVE affects python versions upto 3.9. The use-after-free vulnerability in Python's heapq module allows an attacker
to manipulate memory after it has been freed, potentially leading to arbitrary code execution or a denial of service.
This vulnerability can be exploited by carefully crafting a malicious input that triggers the use-after-free condition.
There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported.

## CVE Severity

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ tags: ["security", "cve"]

## Last Update

9/13/24
9/15/24

## NIST CVE Summary

Expand All @@ -23,7 +23,11 @@ declarations in XML plist files to avoid XML vulnerabilities.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.
This CVE affects users of Python versions up to 3.9.1. This issue lies in the plistlib module, which used to accept
entity declarations in XML plist files, making it susceptible to XXE attacks. This vulnerability is not listed in CISA's
Known Exploited Vulnerabilities Catalog. The possibility of this vulnerability getting exploited in Spectro Cloud
products is low. Need an update from the 3rd party vendor to fix the vulnerability. Investigating possibility of
updating python version to fix this vulnerability.

## CVE Severity

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@ supplying a URL that starts with blank characters.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by
supplying a URL that starts with blank characters. urlparse has a parsing problem when the entire URL starts with blank
characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods
to fail. Python version needs to be upgraded in the images reported.

## CVE Severity

Expand Down
47 changes: 47 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2023-24534.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
sidebar_label: "CVE-2023-24534"
title: "CVE-2023-24534"
description: "Lifecycle of CVE-2023-24534"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534)

## Last Update

09/15/2024

## NIST CVE Summary

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading
to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME
headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this
behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory
exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold
parsed headers.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
56 changes: 56 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2023-24536.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
sidebar_label: "CVE-2023-24536"
title: "CVE-2023-24536"
description: "Lifecycle of CVE-2023-24536"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536)

## Last Update

09/15/2024

## NIST CVE Summary

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large
numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed
multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs
than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large
numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers,
further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause
an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of
service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package
with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a
better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In
addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with
ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable
GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header
fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This
limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

## Our Official Summary

Investigation is ongoing to determine how this vulnerability affects our products.

## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.18

## Revision History

- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products
Loading

0 comments on commit 5a8f806

Please sign in to comment.