Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: 8-27-24 cve updates #3725

Merged
merged 2 commits into from
Aug 27, 2024
Merged

docs: 8-27-24 cve updates #3725

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9ec9b5e
8-27-24 cve updates
frederickjoi Aug 27, 2024
2308448
docs: fix format
lennessyy Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2024-35325.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
sidebar_label: "CVE-2024-35325"
title: "CVE-2024-35325"
description: "Lifecycle of CVE-2024-35325"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2024-35325](https://nvd.nist.gov/vuln/detail/CVE-2024-35325)

## Last Update

8/27/2024
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '8/27/2024'.


## NIST CVE Summary

A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libyaml'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'yaml_event_delete'?


## Our Official Summary

Waiting on a fix from third party mongodb vendor.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'mongodb'?


## CVE Severity

[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.14

## Revision History

- 1.0 08/27/2024 Initial Publication
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.

- 2.0 08/27/2024 Added Palette VerteX 4.4.14 to Affected Products
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.

42 changes: 42 additions & 0 deletions docs/docs-content/security-bulletins/reports/cve-2024-6197.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
sidebar_label: "CVE-2024-6197"
title: "CVE-2024-6197"
description: "Lifecycle of CVE-2024-6197"
hide_table_of_contents: true
sidebar_class_name: "hide-from-sidebar"
toc_max_heading_level: 2
tags: ["security", "cve"]
---

## CVE Details

[CVE-2024-6197](https://nvd.nist.gov/vuln/detail/CVE-2024-6197)

## Last Update

8/27/2024
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '8/27/2024'.


## NIST CVE Summary

Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libcurl's'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.Ordinal] Spell out all ordinal numbers ('1st') in text.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Itcan'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'localstack'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'malloc'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'exploting'?


## Our Official Summary

Spectro Cloud Offcial Summary coming soon.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Offcial'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.future] Avoid documenting features that are not available at present. You mentioned 'coming soon'.


## CVE Severity

[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197)

## Status

Ongoing

## Affected Products & Versions

- Palette VerteX 4.4.14

## Revision History

- 1.0 08/27/2024 Initial Publication
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.

- 2.0 08/27/2024 Added Palette VerteX 4.4.14 to Affected Products
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.

4 changes: 3 additions & 1 deletion docs/docs-content/security-bulletins/reports/reports.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,6 @@ Click on the CVE ID to view the full details of the vulnerability.
| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing |
| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing |
| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing |
| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing |
| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing |
[CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/27/24 | Palette 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :mag: Ongoing |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libyaml'?

[CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 08/27/24 | Palette 4.4.14 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libcurl'?

Loading