From 99b12df5256268bcfbb152cfeca245871ff4cc09 Mon Sep 17 00:00:00 2001 From: frederickjoi <153292280+frederickjoi@users.noreply.github.com> Date: Fri, 20 Sep 2024 08:16:36 -0700 Subject: [PATCH] docs: 9-20-24 cve updates (#4026) * 9-20-24 cve updates * ci: auto-formatting prettier issues --------- Co-authored-by: frederickjoi (cherry picked from commit 2d9cfa7c1f1e0395af49c07c07aeda6a6803f62e) --- .../security-bulletins/reports/cve-2022-28948.md | 6 ++++-- .../security-bulletins/reports/cve-2023-24534.md | 9 +++++++-- .../security-bulletins/reports/cve-2023-52356.md | 7 +++++-- docs/docs-content/security-bulletins/reports/reports.md | 2 +- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md index 35ec303fa1..840d553e06 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md +++ b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/20/2024 ## NIST CVE Summary @@ -23,7 +23,9 @@ input. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to +convert (or deserialize) invalid input data, potentially impacting system stability and reliability. 3rd party images +affected will be upgraded to remove the vulnerability. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md index 6a12c59573..a6975fc52f 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/20/2024 ## NIST CVE Summary @@ -27,7 +27,12 @@ parsed headers. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This CVE involves excessive memory allocation in net/http and net/textproto, potentially leading to a denial-of-service +due to large memory allocation while parsing HTTP and MIME headers even for small inputs. Attackers can exploit this +vulnerability to exhaust an HTTP server's memory resources, causing a denial of service. By crafting specific input data +patterns, an attacker can trigger the excessive memory allocation behavior in the HTTP and MIME header parsing +functions, leading to memory exhaustion. The risk of this vulnerability exploited in Spectro Cloud products is very low. +3rd party images affected will be upgraded to remove the vulnerability. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md index 4bddf91140..7212699f55 100644 --- a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md +++ b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md @@ -14,7 +14,7 @@ tags: ["security", "cve"] ## Last Update -09/15/2024 +09/20/2024 ## NIST CVE Summary @@ -24,7 +24,10 @@ service. ## Our Official Summary -Investigation is ongoing to determine how this vulnerability affects our products. +This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and +denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF +file is passed to the TIFFReadRGBATileExt() API. Investigating a possible fix for this vulnerability on the affected +images. ## CVE Severity diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md index e4a1d2437a..587a28ab39 100644 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -44,7 +44,7 @@ Click on the CVE ID to view the full details of the vulnerability. | [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 4/28/24 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | | [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/20/23 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | | [CVE-2023-44487](./cve-2023-44487.md) | 10/10/23 | 6/27/24 | 4.4.11 & 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | :mag: Ongoing | -| [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 11/6/24 | 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | +| [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 11/6/24 | 4.4.11 & 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | | [CVE-2015-8855](./cve-2015-8855.md) | 1/23/17 | 1/26/12 | 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | :mag: Ongoing | | [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 08/16/24 | 4.4.14 & 4.4.18 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | | [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 08/16/24 | 4.4.14 & 4.4.18 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing |