diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/security-bulletins/cve-reports.md index 2d584559d2..f0684ffd00 100644 --- a/docs/docs-content/security-bulletins/cve-reports.md +++ b/docs/docs-content/security-bulletins/cve-reports.md @@ -29,13 +29,28 @@ regarding any third-party components. For vulnerabilities originating in our pro workarounds where applicable -| Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | Vulnerability Summary | CVE ID | CVSS Severity | Impact | -|------------------|---------------|----------------------------|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. | [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | | -| 10/12/23 | 2/18/24 | Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. | [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+ For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | -| 3/22/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | | -| 10/11/23 | 4/28/24 | Palette 4.4.8 | Third-party component: Go Project | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+ For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | -| 2/28/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. | [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | | -| 11/20/23 | 11/20/23 | Palette 4.4.8 | Third-party component: Open-telemetry-Go | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | -| 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | + +|Initial Pub Date |Modified Date|Impacted Product & Version|Vulnerability Type |Vulnerability Summary |CVE ID |CVSS Severity |Official Summary | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|1/32/24 |2/18/24 | |Third-party component: kube-proxy |runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |[CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) |8.6 |CVE exists in kube-proxy 1.28.11.  Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +|2/28/23 |11/25/23 | |Third-party component: CoreDNS |A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. |[CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) |7.5 |CVE exists in coredns that’s being used in k8s 1.28.11.  Affects only k8s version 1.28.11.For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +|10/25/23 |10/25/23 | |Third-party component: CoreDNS |The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. |[GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) |7.5 |CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +|2/8/23 |2/4/24 |Palette 4.4.a |Third-party component: OpenSSL |The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. |[CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Review: https://ubuntu.com/security/CVE-2022-4450 | +|10/12/23 |2/18/24 |Palette 4.4.a |Third-party component: Open-telemetry-Go|OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels \`http.user_agent\` and \`http.method\` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. |[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) |CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +|3/22/23 |6/21/24 |Palette 4.4.a |Third-party component: OpenSSL |A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. |[CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX.  Review: https://ubuntu.com/security/CVE-2023-0464 | +|10/11/23 |4/28/24 |Palette 4.4.a |Third-party component: Go project |A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. |[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) |CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | +|2/28/23 |6/21/24 |Palette 4.4.a |Third-party component: OpenSSL |The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. |[CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX.  Review: https://ubuntu.com/security/CVE-2023-0215| +|11/20/23 |11/20/23 |Palette 4.4.a |Third-party component: Open-telemetry-Go |OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels \`net.peer.sock.addr\` and \`net.peer.sock.port\` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. |[CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) |[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) |CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | +|2/8/23 |2/4/24 |Palette 4.4.a |Third-party component: OpenSSL |There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. |[CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) |[7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) |This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | +|12/8/20 |6/21/24 | |Third-party component: Ubuntu |The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).|[CVE-2020-1971](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) |5.9 |[This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Review: https://ubuntu.com/security/CVE-2020-1971](https://ubuntu.com/security/CVE-2020-1971)| +|3/25/21 |6/21/24 | |Third-party component: Ubuntu |An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). |[CVE-2021-3449](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) |5.9 |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Review: https://ubuntu.com/security/CVE-2021-3449 | +|8/24/12 |6/21/24 | |Third-party component: Ubuntu |In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). |[CVE-2021-3711](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) |9.8 |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Review: https://ubuntu.com/security/CVE-2021-3711 | +|3/15/22 |6/21/24 | |Third-party component: Ubuntu |The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. |[CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) |7.5 |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. See https://ubuntu.com/security/CVE-2023-0286 | +|1/31/22 |11/6/23 | |Third-party component: Ubuntu |In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. |[CVE-2021-45079](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) |9.1 |This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version 5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: https://ubuntu.com/security/CVE-2021-45079| +|11/14/23 |1/19/24 | |Third-party component: VSphere-CSI |A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. |[CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) |8.8 |CVE reported in vsphere-csi 3.2.0. Govulncheck shows it is non-impacting. | +|10/10/23 |6/27/24 | |Third-party component: CAPI |The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) |7.5 |CVE reported in coredns and kube-vip. Govulncheck shows it is non-impacting. +|6/21/23 |11/6/24 | |Third-party component: CAPI |Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. |[CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) |7.5 |CVE reported in virtual cluster capi provider. Govulncheck shows it is non-impacting. | +|1/23/17 |1/26/12 | |Third-party component: CAPI |The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." |[CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) |7.5 |This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang application. | +|9/12/23 |9/12/23 | |Third-party component: VSphere-CSI |github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. |[PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604)| | CVE reported in vsphere-csi 3.2.0, and k8s 1.28.11. Govulncheck shows it is non-impacting.| +