diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/security-bulletins/cve-reports.md index 1a933d8477..2d584559d2 100644 --- a/docs/docs-content/security-bulletins/cve-reports.md +++ b/docs/docs-content/security-bulletins/cve-reports.md @@ -29,36 +29,13 @@ regarding any third-party components. For vulnerabilities originating in our pro workarounds where applicable -| Impacted Product & Version | Vulnerability Type | Vulnerability Summary | CVE ID | CVSS Severity | -| -------------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------ | -| Palette 4.4.8 | Third-party component: PyYAML library through v5.4 | A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. | [CVE-2020-14343](https://nvd.nist.gov/vuln/detail/CVE-2020-14343) | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2020-14343) | -| Palette 4.4.8 | Third-party component: Ubuntu | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | [CVE-2024-24790](https://ubuntu.com/security/CVE-2024-24790) | [9.8](https://ubuntu.com/security/CVE-2024-24790) | -| Palette 4.4.8 | Third-party component: Certif | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. | [CVE-2023-37920](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | -| Palette 4.4.8 | Third-party component: Github | Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. | [CVE-2024-32002](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | -| Palette 4.4.8 | Third-party component: KRB5 | PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow) and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." | [CVE-2022-42898](https://nvd.nist.gov/vuln/detail/CVE-2022-42898) | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2022-42898) | -| Palette 4.4.8 | Third-party component: CLI Tool runc | Runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier due to an internal file descriptor leak an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace allowing for a container escape by giving access to the host file system. | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | -| Palette 4.4.8 | Third-party component: Hashicorp go-getter library | HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration potentially leading to arbitrary code execution. | [CVE-2024-6257](https://nvd.nist.gov/vuln/detail/CVE-2024-6257) | [8.4](https://nvd.nist.gov/vuln/detail/CVE-2024-6257) | -| Palette 4.4.8 | Third-party component: OpenSSH Server | A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. | [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387) | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2024-6387) | -| Palette 4.4.8 | Third-party component: Ncurses | Ncurses before 6.4 20230408 when used by a setuid application allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. | [CVE-2023-29491](https://nvd.nist.gov/vuln/detail/CVE-2023-29491) | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29491) | -| Palette 4.4.8 | Third-party component: Unix | On Unix platforms the Go runtime does not behave differently when a binary is started with the setuid/setgid bits. This can be dangerous in certain cases such as when dumping memory state or assuming the status of standard i/o file descriptors. | [CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | -| Palette 4.4.8 | Third-party component: Linux Kernel | In the Linux kernel the following vulnerability has been resolved: `bpf:` Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab the map may still be accessed by non-sleepable program or sleepable program. However `bpf_map_fd_put_ptr()` decreases the ref-counter of the inner map directly through `bpf_map_put()` if the ref-counter is the last one (which is true for most cases) the inner map will be freed by `ops->map_free()` in a kworker. But for now most `.map_free()` callbacks don't use synchronize_rcu() or its variants to wait for the elapse of a RCU grace period so after the invocation of ops->map_free completes the bpf program which is accessing the inner map may incur use-after-free problem. | [CVE-2023-52447](https://nvd.nist.gov/vuln/detail/CVE-2023-52447) | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-52447) | -| Palette 4.4.8 | Third-party component: glibc library | A heap-based buffer overflow was found in the \_\_vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called or called with the ident argument set to NULL and the program name (the basename of argv[0]) is bigger than 1024 bytes resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer. | [CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-6246) | -| Palette 4.4.8 | Third-party component: GNU C Library | A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable | [CVE-2023-4911](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-4911) | -| Palette 4.4.8 | Third-party component: OpenSSL | The function `PEM_read_bio_ex()` reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE") any header data and the payload data. If the function succeeds then the "name_out" "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case `PEM_read_bio_ex()` will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. | [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | -| Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0 the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | -| Palette 4.4.8 | Third-party component: glibc library | An off-by-one heap-based buffer overflow was found in the \_\_vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes leading to an incorrect calculation of the buffer size to store the message resulting in an application crash. This issue affects glibc 2.37 and newer. | [CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-6779) | -| Palette 4.4.8 | Third-party component: Certifi | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. | [CVE-2023-37920](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | -| Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. | [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | -| Palette 4.4.8 | Third-party component: OpenSSL | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | -| Palette 4.4.8 | Third-party component: Go Project | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | -| Palette 4.4.8 | Third-party component: Python 3.11 through 3.11.4 | An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath() the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier but that filename is no longer rejected in Python 3.11.x. | [CVE-2023-41105](https://nvd.nist.gov/vuln/detail/CVE-2023-41105) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-41105) | -| Palette 4.4.8 | Third-party component: Python | An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. | [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | -| Palette 4.4.8 | Third-party component: DNS Protocol | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses aka the "KeyTrap" issue. One of the concerns is that when there is a zone with many DNSKEY and RRSIG records the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. | [CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-50387) | -| Palette 4.4.8 | Third-party component: urllib3 | An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking. | [CVE-2021-33503](https://nvd.nist.gov/vuln/detail/CVE-2021-33503) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-33503) | -| Palette 4.4.8 | Third-party component: OpenSSL | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME CMS and PKCS7 streaming capabilities but may also be called directly by end user applications. | [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | -| Palette 4.4.8 | Third-party component: Go-yaml v2 | An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. | [CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | -| Palette 4.4.8 | Third-party component: Go Project | Before Go 1.20 the RSA based TLS key exchanges used the math/big library which is not constant time. RSA blinding was applied to prevent timing attacks but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information which in turn could be used to recover session key bits. In Go 1.20 the crypto/tls library switched to a fully constant time RSA implementation which we do not believe exhibits any timing side channels. | [CVE-2023-45287](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | -| Palette 4.4.8 | Third-party component: Diffie-Hellman Key Agreement Protocol | The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size rather than an observation about numbers that are not public keys. | [CVE-2022-40735](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-40735) | -| Palette 4.4.8 | Third-party component: OpenSSL | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | -| Palette 4.4.8 | Third-party component: Linux Kernel | A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The `aoecmd_cfg_pkts()` function improperly updates the refcnt on `struct net_device` and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. | [CVE-2023-6270](https://nvd.nist.gov/vuln/detail/CVE-2023-6270) | [7.0](https://nvd.nist.gov/vuln/detail/CVE-2023-6270) | +| Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | Vulnerability Summary | CVE ID | CVSS Severity | Impact | +|------------------|---------------|----------------------------|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. | [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | | +| 10/12/23 | 2/18/24 | Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. | [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+ For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +| 3/22/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | | +| 10/11/23 | 4/28/24 | Palette 4.4.8 | Third-party component: Go Project | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+ For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +| 2/28/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. | [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | | +| 11/20/23 | 11/20/23 | Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | +| 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | diff --git a/docs/docs-content/security-bulletins/life-cycle/cve-2024-21626.md b/docs/docs-content/security-bulletins/life-cycle/cve-2024-21626.md new file mode 100644 index 0000000000..ebf191f7d9 --- /dev/null +++ b/docs/docs-content/security-bulletins/life-cycle/cve-2024-21626.md @@ -0,0 +1,9 @@ +--- +sidebar_label: "CVE-2024-21626" +title: "CVE-2024-21626" +description: "Lifecycle of CVE-2024-21626" +hide_table_of_contents: false +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- diff --git a/docs/docs-content/security-bulletins/life-cycle/life-cycle.md b/docs/docs-content/security-bulletins/life-cycle/life-cycle.md new file mode 100644 index 0000000000..0cceb31070 --- /dev/null +++ b/docs/docs-content/security-bulletins/life-cycle/life-cycle.md @@ -0,0 +1,10 @@ +--- +sidebar_label: "CVE Life Cycle Reports" +title: "CVE Life Cycle Reports" +description: "Lifecycle of CVE-2024-21626" +hide_table_of_contents: false +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +unlisted: true +tags: ["security", "cve"] +---