From 6ba9c6e7dcf1d00de50989d105f0564c999f0a1c Mon Sep 17 00:00:00 2001 From: frederickjoi <153292280+frederickjoi@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:34:24 -0700 Subject: [PATCH] 9-5-24 cve updates --- .../reports/cve-2021-46848.md | 42 +++++++++++++++++ .../reports/cve-2024-0760.md | 44 ++++++++++++++++++ .../reports/cve-2024-1737.md | 45 +++++++++++++++++++ .../reports/cve-2024-1975.md | 44 ++++++++++++++++++ .../reports/cve-2024-45490.md | 42 +++++++++++++++++ .../reports/cve-2024-45491.md | 42 +++++++++++++++++ .../reports/cve-2024-45492.md | 42 +++++++++++++++++ .../reports/cve-2024-6232.md | 42 +++++++++++++++++ .../reports/cve-2024-7592.md | 42 +++++++++++++++++ .../security-bulletins/reports/reports.md | 11 ++++- 10 files changed, 395 insertions(+), 1 deletion(-) create mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-46848.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-0760.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-1737.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-1975.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45490.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45491.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45492.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-6232.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-7592.md diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-46848.md b/docs/docs-content/security-bulletins/reports/cve-2021-46848.md new file mode 100644 index 0000000000..5e889f8330 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2021-46848.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2021-46848" +title: "CVE-2021-46848" +description: "Lifecycle of CVE-2021-46848" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2021-46848](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. + +## Our Official Summary + +This is a vulnerability reported in GNU Libtasn1 before version 4.19.0, a library used to manage the ASN.1 data structure. This vulnerability is caused by an off-by-one array size check issue, leading to an out-of-bounds read. Impacting systems using GNU Libtasn1 before 4.19.0. Waiting on an upstream fix. + +## CVE Severity + +[9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0760.md b/docs/docs-content/security-bulletins/reports/cve-2024-0760.md new file mode 100644 index 0000000000..55e65f94c5 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-0760.md @@ -0,0 +1,44 @@ +--- +sidebar_label: "CVE-2024-0760" +title: "CVE-2024-0760" +description: "Lifecycle of CVE-2024-0760" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-0760](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. + +## Our Official Summary + +A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after +the attack ceases. In order to exploit this vulnerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. There +are sufficient controls in place to consider the probability of occurrence as low. There is a fix available upstream and we are investigating upgrading to the fixed version. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1737.md b/docs/docs-content/security-bulletins/reports/cve-2024-1737.md new file mode 100644 index 0000000000..bf9cf0af5b --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-1737.md @@ -0,0 +1,45 @@ +--- +sidebar_label: "CVE-2024-1737" +title: "CVE-2024-1737" +description: "Lifecycle of CVE-2024-1737" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-1737](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. + +## Our Official Summary + +This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs for the same hostname (of any RTYPE). Services will +suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in +which this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls in place to consider the probability of occurence as +low. There is a fix available upstream and we are investigating upgrading to the fixed version. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1975.md b/docs/docs-content/security-bulletins/reports/cve-2024-1975.md new file mode 100644 index 0000000000..6475b43011 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-1975.md @@ -0,0 +1,44 @@ +--- +sidebar_label: "CVE-2024-1975" +title: "CVE-2024-1975" +description: "Lifecycle of CVE-2024-1975" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-1975](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. + +## Our Official Summary + +This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a resolver DNSSEC-validates a “KEY” Resource +Record from a DNSSEC-signed domain in cache. In order to exploit this vulenerability, image in which this cve is reported has to be compromised and hacker has to +gain privileged access. There are sufficient controls in place to consider the probability of occurence as low. There is a fix available upstream and we are investigating upgrading to the fixed version. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45490.md b/docs/docs-content/security-bulletins/reports/cve-2024-45490.md new file mode 100644 index 0000000000..4c1432e9a5 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-45490.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2024-45490" +title: "CVE-2024-45490" +description: "Lifecycle of CVE-2024-45490" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-45490](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. + +## Our Official Summary + +Our official summary coming soon. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45491.md b/docs/docs-content/security-bulletins/reports/cve-2024-45491.md new file mode 100644 index 0000000000..f5648dd2a7 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-45491.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2024-45491" +title: "CVE-2024-45491" +description: "Lifecycle of CVE-2024-45491" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-45491](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). + +## Our Official Summary + +Our official summary coming soon. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45492.md b/docs/docs-content/security-bulletins/reports/cve-2024-45492.md new file mode 100644 index 0000000000..589b18c5c3 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-45492.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2024-45492" +title: "CVE-2024-45492" +description: "Lifecycle of CVE-2024-45492" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-45492](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). + +## Our Official Summary + +Our official summary coming soon. + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md new file mode 100644 index 0000000000..88c5563558 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2024-6232" +title: "CVE-2024-6232" +description: "Lifecycle of CVE-2024-6232" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-6232](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. + +## Our Official Summary + +Our official summary coming soon. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-7592.md b/docs/docs-content/security-bulletins/reports/cve-2024-7592.md new file mode 100644 index 0000000000..9cb4befece --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-7592.md @@ -0,0 +1,42 @@ +--- +sidebar_label: "CVE-2024-7592" +title: "CVE-2024-7592" +description: "Lifecycle of CVE-2024-7592" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-7592](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) + +## Last Update + +9/5/24 + +## NIST CVE Summary + +There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. + +## Our Official Summary + +Some problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack. Investigating to see if there is a upstream fix available. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) + +## Status + +Ongoing + +## Affected Products & Versions + +- Palette VerteX 4.4.14 + +## Revision History + +- 1.0 09/05/2024 Initial Publication +- 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md index 718fcf8779..ec8ac585e8 100644 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -77,8 +77,17 @@ Click on the CVE ID to view the full details of the vulnerability. | [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | | [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | | [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | +| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | | [CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/30/24 | Palette 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :white_check_mark: Resolved | | [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 08/30/24 | Palette 4.4.14 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | | [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 08/30/24 | Palette 4.4.14 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | | [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 08/30/24 | Palette 4.4.14 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | +| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | +| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | +| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | +| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | +| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | +| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | +| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | +| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | +| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 9/5/24 | Palette 4.4.14 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | \ No newline at end of file