From bed734d3c6627573451df02341a7acc4e7f9280d Mon Sep 17 00:00:00 2001 From: Alagu Jeeva M Date: Fri, 20 Oct 2023 03:25:28 +0530 Subject: [PATCH] Included new CVE's (#1668) * Included new CVE's * Changes related to headings - Resolution/Patches * docs: laguage toches * docs: updated index table * security advisory 4.1.0 updates based on review comments - capture impact and impact versions - update patches and workarounds - and some formatting * chore: minor langauge fixes * chore: update layout --------- Co-authored-by: Karl Cardenas Co-authored-by: Fayas --- .../security/security-bulletins/cve-index.md | 9 + .../security-bulletins/cve-reports.md | 202 ++++++++++++------ 2 files changed, 146 insertions(+), 65 deletions(-) diff --git a/docs/docs-content/security/security-bulletins/cve-index.md b/docs/docs-content/security/security-bulletins/cve-index.md index b828004208..d3ce9ae0ed 100644 --- a/docs/docs-content/security/security-bulletins/cve-index.md +++ b/docs/docs-content/security/security-bulletins/cve-index.md @@ -13,6 +13,15 @@ The following is an index of all Palette-related CVEs and their disclosure year. ## 2023 +- [October 17, 2023 - CVE-2023-4911 Buffer Overflow in Dynamic Loader - 7.8 CVSS](cve-reports.md#october-17-2023---cve-2023-4911-buffer-overflow-in-dynamic-loader---78-cvss) + + +- [October 6, 2023 - CVE-2023-32002 NodeJS Modules Policy Bypass - 9.8 CVSS](cve-reports.md#october-6-2023---cve-2023-32002-nodejs-modules-policy-bypass---98-cvss) + + +- [September 25, 2023 - CVE-2023-42810 - NodeJS SSID Command Injection Vulnerability - 9.8 CVSS](cve-reports.md#september-25-2023---cve-2023-42810---nodejs-ssid-command-injection-vulnerability---98-cvss) + + - [September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS](cve-reports.md#september-01-2023---cve-2023-22809-sudo-vulnerability---78-cvss) diff --git a/docs/docs-content/security/security-bulletins/cve-reports.md b/docs/docs-content/security/security-bulletins/cve-reports.md index ba884e6175..660eeff2b3 100644 --- a/docs/docs-content/security/security-bulletins/cve-reports.md +++ b/docs/docs-content/security/security-bulletins/cve-reports.md @@ -5,6 +5,7 @@ description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) icon: "" hide_table_of_contents: false sidebar_position: 0 +toc_max_heading_level: 2 tags: ["security", "cve"] --- @@ -13,6 +14,7 @@ tags: ["security", "cve"] -## September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS +## October 11, 2023 - CVE-2023-44487 HTTP/2 Denial of Service - 7.5 CVSS + +The HTTP/2 protocol may be used to create a denial of service and cause a server to exhaust all of its allocated resources. A malicious HTTP/2 client which rapidly creates requests and +immediately resets them can cause excessive server resource consumption. + +#### Impact + +All Palette and VerteX releases prior to version 4.1.0 are impacted. The impact is largely mitigated as Palette and VerteX already have IP address based rate limit. + +#### Patches +Palette and Vertex version 4.1.0 includes the fix for all the services using HTTP/2 protocol. + +### Workarounds +No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the [API Rate Limit](/api/introduction#rate-limits) documentation for more information. + +#### References + +- [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) + +
+ +## October 17, 2023 - CVE-2023-4911 Buffer Overflow in Dynamic Loader - 7.8 CVSS + +A buffer overflow was discovered in the GNU C Library’s dynamic loader `ld.so` while processing the `GLIBC_TUNABLES` environment variable. This issue could allow a local attacker to use maliciously crafted `GLIBC_TUNABLES` environment variables when launching binaries with `SUID`` permission to execute code with elevated privileges. + +#### Impact + +All internal Palette and VerteX microservices are not impacted as the binaries are compiled using [musl](https://musl.libc.org). This vulnerability, from an OS perspective, cannot be exploited without a remote code execution exploit. + + +#### Patches +Release 4.1.0 include the security patch for the vulnerability. + +#### Workarounds + + +Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the [OS Patching](../../clusters/cluster-management/os-patching.md) documentation for more information. + +#### References + +- [CVE-2023-4911](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) + +
+ +## October 6, 2023 - CVE-2023-32002 NodeJS Modules Policy Bypass - 9.8 CVSS + +The use of the Module library's `Module._load()` function can be used to bypass the defined policy mechanism and require external modules not defined in the **policy.json** file for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Note that at the time this CVE was issued, the policy is an experimental feature of Node.js. + +#### Impact +No impact since the impacted function is not used. + +#### Patches +Not Applicable + +#### Workarounds +Not Applicable + +#### References + +- [CVE-2023-32002](https://nvd.nist.gov/vuln/detail/CVE-2023-32002) + +
+ +## September 25, 2023 - CVE-2023-42810 - NodeJS SSID Command Injection Vulnerability - 9.8 CVSS + +The NodeJS system information library, `systeminformation`, has an SSID command injection vulnerability. The affected versions are v5.0.0 to v5.21.6. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()`. + +#### Impact + +No impact since the impacted functions are not used. + +#### Patches +Not Applicable + +#### Workarounds +Not Applicable + + +#### References + +- [CVE-2023-42810](https://nvd.nist.gov/vuln/detail/CVE-2023-42810) + +
+ +## September 25, 2023 - CVE-2023-4863 Libwebp Programs Terminations - 8.8 CVSS + +A heap buffer overflow in the library, `libwebp`, allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This vulerability is present with the combination of Google Chrome prior to versions 116.0.5845.187 with `libwebp` version 1.3.2. This is Chromium security severity that is marked as Critical. + +#### Impact +No impact since `libwebp` is not used on any of the Palette container images. This vulnerability, from an OS perspective OS, a cannot be exploited without a remote code execution exploit. + +#### Patches + +Release 4.1.0 of self-hosted Palette and VerteX deployment include the security patch for the CVE. + +#### Workarounds +Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the [OS Patching](../../clusters/cluster-management/os-patching.md) documentation for more information. + +#### References + +- [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) + +
+ +## September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment variables `SUDO_EDITOR`, `VISUAL`, and `EDITOR` when the `sudoedit` command is executed. The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain the `--` argument that defeats a protection mechanism. For example, an attacker may issue the following command `EDITOR='vim -- /path/to/extra/file` value. -
### Impact @@ -54,17 +159,15 @@ This vulnerability affects the following Palette components: - Clusters deployed with Palette versions older than 4.0.0 -
### Patches -For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS). +For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the OS. -
### Workarounds -For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](/clusters/cluster-management/os-patching) documentation for more information. +For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](../../clusters/cluster-management/os-patching.md) documentation for more information.
@@ -81,7 +184,7 @@ For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder **/usr/lib** may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for [CVE-2016-10009](https://nvd.nist.gov/vuln/detail/cve-2016-10009). -
+ ### Impact @@ -95,53 +198,49 @@ This vulnerability affects the following Palette components: - Clusters deployed with Palette versions older than 4.0.0 -
+ ### Patches - For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS). -
+ ### Workarounds -- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](/clusters/cluster-management/os-patching) documentation for more information. +- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the [OS Patching](../../clusters/cluster-management/os-patching.md) documentation for more information. + -
### References - [CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408) +
## September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS When using Go templates with actions in unquoted HTML attributes, such as `attr={{.}}`, unexpected output may occur due to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into tags. -
+ ### Impact No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. Our templates do not contain characters mentioned in the CVE. We also do not accept or parse any provided user data - -
- -
- ### Patches Not applicable. -
+ ### Workarounds Not applicable. -
+ ### References @@ -150,33 +249,33 @@ Not applicable. - [GO-2023-1753](https://pkg.go.dev/vuln/GO-2023-1753) +
+ + ## September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS Angle brackets `<>` are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go templates containing multiple actions separated by a `/` character can result in unexpectedly closing the CSS context and allowing for the injection of unexpected HTML if executed with untrusted input. -
+ ### Impact No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. We also do not accept or parse any provided user data. -
- -
### Patches Not applicable. -
+ ### Workarounds Not applicable. -
+ ### References @@ -186,6 +285,7 @@ Not applicable. - [GO-2023-1751](https://pkg.go.dev/vuln/GO-2023-1751) +
## September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS @@ -193,32 +293,28 @@ Go templates do not consider backticks as a Javascript string delimiter and, as Go template actions are disallowed from being used inside of them, for example, `"var a = {{.}}"` since there is no safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix, `Template.Parse()` returns an error when it encounters templates containing actions with literal JavaScript. The ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the `GODEBUG flag jstmpllitinterp=1` with the caveat that backticks will now be escaped. -
+ ### Impact No impact. We use the Go package [html/template](https://pkg.go.dev/html/template) and our HTML templates are static. We also do not accept or parse any provided user data. -
+ ### Affected Products Not applicable. -
### Patches Not applicable. -
### Workarounds Not applicable. -
- ### References @@ -227,39 +323,34 @@ Not applicable. - [GO-2023-1703](https://pkg.go.dev/vuln/GO-2023-1703) +
+ ## September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS The `go` command can execute any code during the build process when using cgo. This can happen when using `go get` command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags specified through the `#cgo LDFLAGS` directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to be used with gc and gccgo compilers. -
### Impact No impact. This is not a runtime issue and we do not compile untrusted code. -
### Affected Products Not applicable. -
### Patches Not applicable. -
- ### Workarounds Not applicable. -
- ### References - [CVE-2023-29402](https://nvd.nist.gov/vuln/detail/CVE-2023-29402) @@ -267,37 +358,32 @@ Not applicable. - [GO-2023-1841](https://pkg.go.dev/vuln/GO-2023-1841) +
## September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS - The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters in their names. Go modules retrieved using the command `go get` are unaffected. Modules retrieved using the legacy module retrieve method with the environment variables `GOPATH` and `GO111MODULE=off` may be affected. -
### Impact No impact. This is not a runtime issue and we do not compile untrusted code. -
### Affected Products Not applicable. -
### Patches Not applicable. -
### Workarounds Not applicable. -
### References @@ -306,36 +392,33 @@ Not applicable. - [GO-2023-1839](https://pkg.go.dev/vuln/GO-2023-1839) +
+ ## September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the command `go get` is issued on a malicious module or when using any other command that builds untrusted code. This can be triggered by linker flags specified via a `#cgo LDFLAGS directive`. Flags containing embedded spaces are mishandled, and disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects the gccgo compiler. -
### Impact No impact. This is not a runtime issue and we do not compile untrusted code. -
### Affected Products Not applicable. -
### Patches Not applicable. -
### Workarounds Not applicable. -
### References @@ -346,25 +429,24 @@ Not applicable. - [GO-2023-1842](https://pkg.go.dev/vuln/GO-2023-1842) +
## September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS Not all valid JavaScript whitespace characters are considered to be whitespace. JavaScript templates containing whitespace characters outside of the character set `\t\n\f\r\u0020\u2028\u2029` may not be properly sanitized during execution. -
+ ### Impact No impact - We use the Go package [html/template](https://pkg.go.dev/html/template) but our HTML templates are static. We also do not accept or parse any provided user data. -
### Patches Not applicable. -
### Workarounds @@ -377,7 +459,7 @@ Not applicable. - [GO-2023-1752](https://pkg.go.dev/vuln/GO-2023-1752) - +
## March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS @@ -386,31 +468,29 @@ A security vulnerability in `sudo -e` option (aka *sudoedit*) allows a malicious All versions of Palette before v2.6.70 are affected. -
+ #### Impact A local user with permission to edit files can use this flaw to change a file not permitted by the security policy, resulting in privilege escalation. -
#### Resolution * For Palette SaaS, this has been addressed and requires no user action. * For ​​Palette self-hosted deployments, please upgrade to newer versions greater than or equal to v2.6.70 to address the reported vulnerability. -
#### Workarounds None. -
#### References * [CVE-2023-22809](https://nvd.nist.gov/vuln/detail/cve-2023-22809) +
## August 4, 2022 - CVE-2022-1292 c_rehash script vulnerability in vSphere CSI pack - 9.8 CVSS @@ -419,26 +499,18 @@ On May 3 2022, OpenSSL published a security advisory disclosing a command inject Palette is not directly affected by this vulnerability. However, if your cluster profile is using the vSphere CSI pack, version v2.3 or below, it contains a vulnerable version of the `c_rehash` script. -
- #### Impact The `c_rehash` script does not sanitize shell metacharacters properly to prevent command injection. This script is distributed by some operating systems, and by extension, in container images, in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. -
- #### Resolution This vulnerability has been addressed in the vSphere CSI pack greater than or equal to version v2.6. -
- #### Workarounds Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. Apply the updated cluster profile changes to all clusters consuming the cluster profile. -
- #### References - [CVE-2022-1292](https://nvd.nist.gov/vuln/detail/CVE-2022-1292) \ No newline at end of file