From 42f34694e0afc1f8881a901f8cd67c0f257c7265 Mon Sep 17 00:00:00 2001 From: "vault-token-factory-spectrocloud[bot]" <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 01:19:09 +0000 Subject: [PATCH] docs: update CVE Layout Changes (#3524) (#3534) * docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <153292280+frederickjoi@users.noreply.github.com> Co-authored-by: Karl Cardenas (cherry picked from commit 364f54c6e7171a7cf48264ca1b2a171a60a0a43c) Co-authored-by: JamieM-Spectro --- .../reports/cve-2015-8855.md | 28 +++++++++--- .../reports/cve-2020-1971.md | 44 ++++++++++++++++--- .../reports/cve-2021-3449.md | 34 +++++++++++--- .../reports/cve-2021-3711.md | 39 +++++++++++++--- .../reports/cve-2021-45079.md | 30 ++++++++++--- .../reports/cve-2022-0778.md | 34 +++++++++++--- .../reports/cve-2022-25883.md | 27 +++++++++--- .../reports/cve-2022-41723.md | 28 +++++++++--- .../reports/cve-2022-4450.md | 33 ++++++++++++-- .../reports/cve-2023-0215.md | 30 ++++++++++--- .../reports/cve-2023-0286.md | 30 ++++++++++--- .../reports/cve-2023-0464.md | 29 +++++++++--- .../reports/cve-2023-39325.md | 29 +++++++++--- .../reports/cve-2023-44487.md | 27 +++++++++--- .../reports/cve-2023-45142.md | 29 +++++++++--- .../reports/cve-2023-47108.md | 29 +++++++++--- .../reports/cve-2023-52425.md | 27 +++++++++--- .../reports/cve-2023-5528.md | 28 +++++++++--- .../reports/cve-2024-21626.md | 33 +++++++++++--- .../reports/ghsa-m425-mq94-257g.md | 30 ++++++++++--- .../reports/prisma-2022-0227.md | 26 +++++++++-- 21 files changed, 542 insertions(+), 102 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md index a6d9b3a436..c23205fd38 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md +++ b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md @@ -8,10 +8,28 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | 7/16/24 | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang application. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | Ongoing | +## Last Update + +7/31/2024 + +## NIST CVE Summary + +The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long +version string, aka a "regular expression denial of service (ReDoS)." + +## Our Official Summary + +This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang +application. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-1971.md b/docs/docs-content/security-bulletins/reports/cve-2020-1971.md index 59fc384c70..d9212b124b 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2020-1971.md +++ b/docs/docs-content/security-bulletins/reports/cve-2020-1971.md @@ -8,10 +8,44 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2020-1971](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2020-1971](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | 7/16/24 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You learn more at https://ubuntu.com/security/CVE-2020-1971. | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known +as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to +see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL +pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the +GENERAL_NAME_cmp function for two purposes: 1\) Comparing CRL distribution point names between an available CRL and a +CRL distribution point embedded in an X509 certificate 2\) When verifying that a timestamp response token signer matches +the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an +attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can +trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that +some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to +the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for +the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work +against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct +correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser +will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other +OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in +OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You learn more at +[https://ubuntu.com/security/CVE-2020-1971](https://ubuntu.com/security/CVE-2020-1971). + +## CVE Severity + +[5.9](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3449.md b/docs/docs-content/security-bulletins/reports/cve-2021-3449.md index 2fc4db75d7..5dcadb34e1 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2021-3449.md +++ b/docs/docs-content/security-bulletins/reports/cve-2021-3449.md @@ -8,10 +8,34 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2021-3449](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2021-3449](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) | 7/16/24 | An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2021-3449. | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a +TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial +ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to +a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which +is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are +affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this +issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at +[https://ubuntu.com/security/CVE-2021-3449](https://ubuntu.com/security/CVE-2021-3449). + +## CVE Severity + +[5.9](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3711.md b/docs/docs-content/security-bulletins/reports/cve-2021-3711.md index 4cbad0c021..da0fb6ee1c 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2021-3711.md +++ b/docs/docs-content/security-bulletins/reports/cve-2021-3711.md @@ -8,10 +8,39 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2021-3711](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2021-3711](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) | 7/16/24 | In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2021-3711. | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically +an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, +the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can +then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for +the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer +size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size +required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a +second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an +application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents +of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The +location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected +1.1.1-1.1.1k). + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at +[https://ubuntu.com/security/CVE-2021-3711](https://ubuntu.com/security/CVE-2021-3711). + +## CVE Severity + +[9.8](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-45079.md b/docs/docs-content/security-bulletins/reports/cve-2021-45079.md index af8af84a28..ad0e12c05a 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2021-45079.md +++ b/docs/docs-content/security-bulletins/reports/cve-2021-45079.md @@ -8,10 +8,30 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2021-45079](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2021-45079](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | 7/16/24 | In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version 5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: You can learn more at https://ubuntu.com/security/CVE-2021-45079. | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually +authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for +IKEv2) even without server authentication. + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version +5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: You can learn more at +[https://ubuntu.com/security/CVE-2021-45079](https://ubuntu.com/security/CVE-2021-45079). + +## CVE Severity + +[9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-0778.md b/docs/docs-content/security-bulletins/reports/cve-2022-0778.md index 09d58cf32f..bb31576489 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-0778.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-0778.md @@ -8,10 +8,34 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) -| CVE ID | Last Update | NIST CVE Summary | Our Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) | 7/16/24 | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2023-0286. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +The BN\\\_mod\\\_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever +for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys +in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to +trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate +parsing happens prior to verification of the certificate signature, any process that parses an externally supplied +certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing +crafted private keys as they can contain explicit elliptic curve parameters. + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at +[https://ubuntu.com/security/CVE-2023-0286](https://ubuntu.com/security/CVE-2023-0286). + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md index 6879d4d2cd..98b337ce98 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md @@ -8,10 +8,27 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | 7/16/24 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | Ongoing | +## Last Update + +7/16/24 + +## NIST CVE Summary + +Versions of the package server before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the +function new Range, when untrusted user data is provided as a range. + +## Our Official Summary + +The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md index ff43fca0c7..5bb1ac2d3c 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md @@ -8,10 +8,28 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | 7/16/24 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11.For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a +denial of service from a small number of small requests. + +## Our Official Summary + +CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11.For customer workload clusters, +workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-4450.md b/docs/docs-content/security-bulletins/reports/cve-2022-4450.md index 693afedded..8775d74fd6 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-4450.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-4450.md @@ -12,6 +12,33 @@ tags: ["security", "cve"] We provide the most up-to-date information below. -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | 7/16/24 | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Additional information can be found at https://ubuntu.com/security/CVE-2022-4450 | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | Ongoing | +## CVE Details + +[CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) + +## Last Update + +7/16/2024 + +## NIST CVE Summary + +The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any +header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are +populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those +buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() +will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. +If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Additional information can be found at +[https://ubuntu.com/security/CVE-2022-4450](https://ubuntu.com/security/CVE-2022-4450) + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0215.md b/docs/docs-content/security-bulletins/reports/cve-2023-0215.md index d9b9f7b39e..2dac757291 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0215.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0215.md @@ -8,10 +8,30 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | 7/16/24 | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2023-0215. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +The public API function BIO\\\_new\\\_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily +used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly +by end user applications. + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at +[https://ubuntu.com/security/CVE-2023-0215](https://ubuntu.com/security/CVE-2023-0215). + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0286.md b/docs/docs-content/security-bulletins/reports/cve-2023-0286.md index bfd03fd267..125f1e0304 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0286.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0286.md @@ -8,10 +8,30 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 +addresses were parsed as an ASN1\\\_STRING but the public structure definition for GENERAL\\\_NAME incorrectly specified +the type of the x400Address field as ASN1\\\_TYPE. This field is subsequently interpreted by the OpenSSL function +GENERAL\\\_NAME\\\_cmp as an ASN1\\\_TYPE rather than an ASN1\\\_STRING. + +## Our Official Summary + +This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version +that’s being used in VerteX. + +## CVE Severity + +[7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md index ae3632345a..43c8d7beca 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md @@ -8,10 +8,29 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | 7/16/24 | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more about this CVE at https://ubuntu.com/security/CVE-2023-0464. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 +certificate chains that include policy constraints. + +## Our Official Summary + +This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version +1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more about this CVE at +[https://ubuntu.com/security/CVE-2023-0464](https://ubuntu.com/security/CVE-2023-0464). + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md index ab889c7701..357725b2a8 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md @@ -8,10 +8,29 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | 7/16/24 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. | CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource +consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting +an in-progress request allows the attacker to create a new request while the existing one is still executing. + +## Our Official Summary + +CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version +1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md index dfe29dad92..88677c5cd3 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md @@ -8,10 +8,27 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | 7/16/24 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many +streams quickly, as exploited in the wild in August through October 2023\. + +## Our Official Summary + +The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md index 722be49db4..e59db347a1 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md @@ -8,10 +8,29 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | 7/16/24 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. | CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box +adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory +exhaustion when many malicious requests are sent to it. + +## Our Official Summary + +CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette +Self Hosted cluster, a future release will upgrade to 1.29+. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md index f11cc54656..00e6df3148 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md @@ -8,10 +8,29 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | 7/16/24 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc +Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound +cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. + +## Our Official Summary + +CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no +workaround. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52425.md b/docs/docs-content/security-bulletins/reports/cve-2023-52425.md index 8339dd460d..732c84da31 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-52425.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-52425.md @@ -8,10 +8,27 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in +the case of a large token for which multiple buffer fills are needed. + +## Our Official Summary + +The CVE is reported in vsphere-csi 3.2.0. + +## CVE Severity + +[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-5528.md b/docs/docs-content/security-bulletins/reports/cve-2023-5528.md index d3832e350f..9c5ec0cb85 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-5528.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-5528.md @@ -8,10 +8,28 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| --------------------------------------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | -| [CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | 7/16/24 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes +may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an +in-tree storage plugin for Windows nodes. + +## Our Official Summary + +The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. + +## CVE Severity + +[8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md index 220d48f376..a5650cb117 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md +++ b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md @@ -8,10 +8,33 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ----------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | -| [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | 7/16/24 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE exists in kube-proxy 1.28.11. Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | Ongoing | +## Last Update + +7/16/2024 + +## NIST CVE Summary + +runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and +earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc +exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to +the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to +gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to +overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc +1.1.12 includes patches for this issue. + +## Our Official Summary + +CVE exists in kube-proxy 1.28.11. Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use +k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. + +## CVE Severity + +[8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md index 42147f6031..2cb07ea44e 100644 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md @@ -8,10 +8,30 @@ toc_max_heading_level: 2 tags: ["security", "cve"] --- -# CVE Details +## CVE Details -We provide the most up-to-date information below. +[GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | ------- | -| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | +## Last Update + +10/25/2023 + +## NIST CVE Summary + +The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send +subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent +method handlers than the configured maximum stream limit. + +## Our Official Summary + +CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload +clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to +1.29+. + +## CVE Severity + +[7.5](https://github.com/advisories/GHSA-m425-mq94-257g) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md b/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md index 7dacfcf88b..e0c97a3897 100644 --- a/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md +++ b/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md @@ -10,8 +10,26 @@ tags: ["security", "cve"] # CVE Details -We provide the most up-to-date information below. +[PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | -| [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | +## Last Update + +7/31/2024 + +## NIST CVE Summary + +github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. +There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check +bypass in a complex system. + +## Our Official Summary + +The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. + +## CVE Severity + +N/A + +## Status + +Ongoing