From df0ab36e37438879c8a2543304b6a0ef73ac6493 Mon Sep 17 00:00:00 2001 From: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> Date: Wed, 17 Jul 2024 11:59:20 -0700 Subject: [PATCH] Security Bulletin Changes (#3120) * docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae --- .gitignore | 3 ++ .prettierignore | 3 +- .../registries-and-packs}/cve-index.md | 0 .../reports/cve-2015-8855.md | 17 ++++++ .../reports/cve-2020-1971.md | 17 ++++++ .../reports/cve-2021-3449.md | 17 ++++++ .../reports/cve-2021-3711.md | 17 ++++++ .../reports/cve-2021-45079.md | 17 ++++++ .../reports/cve-2022-0778.md | 17 ++++++ .../reports/cve-2022-25883.md | 17 ++++++ .../reports/cve-2022-41723.md | 17 ++++++ .../reports/cve-2022-4450.md | 17 ++++++ .../reports/cve-2023-0215.md | 17 ++++++ .../reports/cve-2023-0286.md | 17 ++++++ .../reports/cve-2023-0464.md | 17 ++++++ .../reports/cve-2023-39325.md | 17 ++++++ .../reports/cve-2023-44487.md | 17 ++++++ .../reports/cve-2023-45142.md | 17 ++++++ .../reports/cve-2023-47108.md | 17 ++++++ .../reports/cve-2023-52425.md | 17 ++++++ .../reports/cve-2023-5528.md | 17 ++++++ .../reports/cve-2024-21626.md | 17 ++++++ .../reports/ghsa-m425-mq94-257g.md | 17 ++++++ .../reports/prisma-2022-0227.md | 17 ++++++ .../security-bulletins/reports/reports.md | 54 +++++++++++++++++++ .../security-bulletins/security-bulletins.md | 32 ++++++----- docs/docs-content/security/security.md | 2 +- .../cve-reports.md | 9 ++-- redirects.js | 9 +++- 29 files changed, 445 insertions(+), 24 deletions(-) rename docs/{docs-content/security-bulletins => deprecated/registries-and-packs}/cve-index.md (100%) create mode 100644 docs/docs-content/security-bulletins/reports/cve-2015-8855.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2020-1971.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-3449.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-3711.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-45079.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-0778.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-25883.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41723.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-4450.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-0215.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-0286.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-0464.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-39325.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-44487.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-45142.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-47108.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-52425.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-5528.md create mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-21626.md create mode 100644 docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md create mode 100644 docs/docs-content/security-bulletins/reports/prisma-2022-0227.md create mode 100644 docs/docs-content/security-bulletins/reports/reports.md rename docs/docs-content/{security-bulletins => unlisted}/cve-reports.md (99%) diff --git a/.gitignore b/.gitignore index f76d0c2117..0bfc117677 100644 --- a/.gitignore +++ b/.gitignore @@ -66,6 +66,9 @@ artifact.zip # Ignore _partials/index.ts _partials/index.ts +# Ignore statoc/img/packs +static/img/packs + .vale-config/ vale/styles/spectrocloud/ diff --git a/.prettierignore b/.prettierignore index 61e7ca9102..ebdda5aa9e 100644 --- a/.prettierignore +++ b/.prettierignore @@ -13,4 +13,5 @@ docs/api-content/**/*.json # Troublesome files tsconfig.json -src/components/IconMapper/dynamicFontAwesomeImports.js \ No newline at end of file +src/components/IconMapper/dynamicFontAwesomeImports.js +docs/docs-content/security-bulletins/cve-reports.md \ No newline at end of file diff --git a/docs/docs-content/security-bulletins/cve-index.md b/docs/deprecated/registries-and-packs/cve-index.md similarity index 100% rename from docs/docs-content/security-bulletins/cve-index.md rename to docs/deprecated/registries-and-packs/cve-index.md diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md new file mode 100644 index 0000000000..a6d9b3a436 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2015-8855" +title: "CVE-2015-8855" +description: "Lifecycle of CVE-2015-8855" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | 7/16/24 | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang application. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-1971.md b/docs/docs-content/security-bulletins/reports/cve-2020-1971.md new file mode 100644 index 0000000000..59fc384c70 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2020-1971.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2020-1971" +title: "CVE-2020-1971" +description: "Lifecycle of CVE-2020-1971" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2020-1971](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | 7/16/24 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You learn more at https://ubuntu.com/security/CVE-2020-1971. | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3449.md b/docs/docs-content/security-bulletins/reports/cve-2021-3449.md new file mode 100644 index 0000000000..2fc4db75d7 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2021-3449.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2021-3449" +title: "CVE-2021-3449" +description: "Lifecycle of CVE-2021-3449" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2021-3449](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) | 7/16/24 | An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2021-3449. | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3711.md b/docs/docs-content/security-bulletins/reports/cve-2021-3711.md new file mode 100644 index 0000000000..4cbad0c021 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2021-3711.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2021-3711" +title: "CVE-2021-3711" +description: "Lifecycle of CVE-2021-3711" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2021-3711](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) | 7/16/24 | In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2021-3711. | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-45079.md b/docs/docs-content/security-bulletins/reports/cve-2021-45079.md new file mode 100644 index 0000000000..af8af84a28 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2021-45079.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2021-45079" +title: "CVE-2021-45079" +description: "Lifecycle of CVE-2021-45079" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2021-45079](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | 7/16/24 | In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version 5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: You can learn more at https://ubuntu.com/security/CVE-2021-45079. | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-0778.md b/docs/docs-content/security-bulletins/reports/cve-2022-0778.md new file mode 100644 index 0000000000..09d58cf32f --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-0778.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2022-0778" +title: "CVE-2022-0778" +description: "Lifecycle of CVE-2022-0778" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2022-0778](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) | 7/16/24 | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2023-0286. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md new file mode 100644 index 0000000000..6879d4d2cd --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2022-25883" +title: "CVE-2022-25883" +description: "Lifecycle of CVE-2022-25883" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | 7/16/24 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md new file mode 100644 index 0000000000..ff43fca0c7 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2022-41723" +title: "CVE-2022-41723" +description: "Lifecycle of CVE-2022-41723" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | 7/16/24 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11.For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-4450.md b/docs/docs-content/security-bulletins/reports/cve-2022-4450.md new file mode 100644 index 0000000000..693afedded --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2022-4450.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2022-4450" +title: "CVE-2022-4450" +description: "Lifecycle of CVE-2022-4450" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | 7/16/24 | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. Additional information can be found at https://ubuntu.com/security/CVE-2022-4450 | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0215.md b/docs/docs-content/security-bulletins/reports/cve-2023-0215.md new file mode 100644 index 0000000000..d9b9f7b39e --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0215.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-0215" +title: "CVE-2023-0215" +description: "Lifecycle of CVE-2023-0215" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | 7/16/24 | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2023-0215. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0286.md b/docs/docs-content/security-bulletins/reports/cve-2023-0286.md new file mode 100644 index 0000000000..bfd03fd267 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0286.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-0286" +title: "CVE-2023-0286" +description: "Lifecycle of CVE-2023-0286" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md new file mode 100644 index 0000000000..ae3632345a --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-0464" +title: "CVE-2023-0464" +description: "Lifecycle of CVE-2023-0464" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | 7/16/24 | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more about this CVE at https://ubuntu.com/security/CVE-2023-0464. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md new file mode 100644 index 0000000000..ab889c7701 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-39325" +title: "CVE-2023-39325" +description: "Lifecycle of CVE-2023-39325" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | 7/16/24 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. | CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md new file mode 100644 index 0000000000..dfe29dad92 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-44487" +title: "CVE-2023-44487" +description: "Lifecycle of CVE-2023-44487" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | 7/16/24 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md new file mode 100644 index 0000000000..722be49db4 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-45142" +title: "CVE-2023-45142" +description: "Lifecycle of CVE-2023-45142" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | 7/16/24 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. | CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md new file mode 100644 index 0000000000..f11cc54656 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-47108" +title: "CVE-2023-47108" +description: "Lifecycle of CVE-2023-47108" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | 7/16/24 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52425.md b/docs/docs-content/security-bulletins/reports/cve-2023-52425.md new file mode 100644 index 0000000000..8339dd460d --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-52425.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-52425" +title: "CVE-2023-52425" +description: "Lifecycle of CVE-2023-52425" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-5528.md b/docs/docs-content/security-bulletins/reports/cve-2023-5528.md new file mode 100644 index 0000000000..d3832e350f --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2023-5528.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2023-5528" +title: "CVE-2023-5528" +description: "Lifecycle of CVE-2023-5528" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| --------------------------------------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | +| [CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | 7/16/24 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md new file mode 100644 index 0000000000..220d48f376 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "CVE-2024-21626" +title: "CVE-2024-21626" +description: "Lifecycle of CVE-2024-21626" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ----------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------- | +| [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | 7/16/24 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. | CVE exists in kube-proxy 1.28.11. Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md new file mode 100644 index 0000000000..b842baff81 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "GHSA-m425-mq94-257g" +title: "GHSA-m425-mq94-257g" +description: "Lifecycle of GHSA-m425-mq94-257g" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | +| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CCVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md b/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md new file mode 100644 index 0000000000..7dacfcf88b --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/prisma-2022-0227.md @@ -0,0 +1,17 @@ +--- +sidebar_label: "Prisma-REPLACE-ME" +title: "CVE-REPLACE-ME" +description: "Lifecycle of CVE-REPLACE-ME" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# CVE Details + +We provide the most up-to-date information below. + +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | +| [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md new file mode 100644 index 0000000000..e4c6ee4a98 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -0,0 +1,54 @@ +--- +sidebar_label: "CVE Reports" +title: "CVE Reports" +description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette and Palette VerteX" +icon: "" +hide_table_of_contents: true +sidebar_position: 0 +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +# Security Bulletins + +The vulnerabilities reported in this Security Bulletin include vulnerabilities within the Palette VerteX airgap solution +and third-party component vulnerabilities, which we have become aware of. These vulnerabilities are discovered via our +Bug Bounty program, our security monitoring program, or reported to us by our supply chain. + +:::info + +The CVSS Severity is provided by either the third-party service provider, or NIST CVE. We do not provide the criticality +score for third-party components. Previous security bulletins are available in the +[Security Bulletins Archive](../../unlisted/cve-reports.md). + +::: + +To fix all the vulnerabilities impacting your products, we recommends patching your instances to the latest version +regarding any third-party components. For vulnerabilities originating in our products, we will provide mitigations and +workarounds where applicable. + +Click on the CVE ID to view the full details of the vulnerability. + +| CVE ID | Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | CVSS Severity | Status | +| ----------------------------------------------- | ---------------- | ------------- | -------------------------- | --------------------------------------- | -------------------------------------------------------- | ------------- | +| [CVE-2023-52425](./cve-2023-52425.md) | 02/04/2024 | 06/14/2024 | Palette 4.4.8 | Third-party component: vSphere-CSI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | :mag: Ongoing | +| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 2/18/24 | Palette 4.4.8 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | +| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 11/25/23 | Palette 4.4.8 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | +| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 10/25/23 | Palette 4.4.8 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | +| [CVE-2022-4450](./cve-2022-4450.md) | 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4450) | :mag: Ongoing | +| [CVE-2023-45142](./cve-2023-45142.md) | 10/12/23 | 2/18/24 | Palette 4.4.8 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | :mag: Ongoing | +| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | +| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 4/28/24 | Palette 4.4.8 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | +| [CVE-2023-0215](./cve-2023-0215.md) | 2/28/23 | 6/21/24 | Palette 4.4.8 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | :mag: Ongoing | +| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 11/20/23 | Palette 4.4.8 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | +| [CVE-2023-0286](./cve-2023-0286.md) | 2/8/23 | 2/4/24 | Palette 4.4.8 | Third-party component: OpenSSL | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | :mag: Ongoing | +| [CVE-2020-1971](./cve-2020-1971.md) | 12/8/20 | 6/21/24 | Palette 4.4.8 | Third-party component: Ubuntu | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | :mag: Ongoing | +| [CVE-2021-3449](./cve-2021-3449.md) | 3/25/21 | 6/21/24 | Palette 4.4.8 | Third-party component: Ubuntu | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2021-3449) | :mag: Ongoing | +| [CVE-2021-3711](./cve-2021-3711.md) | 8/24/12 | 6/21/24 | Palette 4.4.8 | Third-party component: Ubuntu | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2021-3711) | :mag: Ongoing | +| [CVE-2022-0778](./cve-2022-0778.md) | 3/15/22 | 6/21/24 | Palette 4.4.8 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) | :mag: Ongoing | +| [CVE-2021-45079](./cve-2021-45079.md) | 1/31/22 | 11/6/23 | Palette 4.4.8 | Third-party component: Ubuntu | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | :mag: Ongoing | +| [CVE-2023-5528](./cve-2023-5528.md) | 11/14/23 | 1/19/24 | Palette 4.4.8 | Third-party component: vSphere-CSI | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | :mag: Ongoing | +| [CVE-2023-44487](./cve-2023-44487.md) | 10/10/23 | 6/27/24 | Palette 4.4.8 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | :mag: Ongoing | +| [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 11/6/24 | Palette 4.4.8 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | +| [CVE-2015-8855](./cve-2015-8855.md) | 1/23/17 | 1/26/12 | Palette 4.4.8 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | :mag: Ongoing | +| [PRISMA-2022-0227](./prisma-2022-0227.md) | 9/12/23 | 9/12/23 | Palette 4.4.8 | Third-party component: vSphere-CSI | N/A | :mag: Ongoing | diff --git a/docs/docs-content/security-bulletins/security-bulletins.md b/docs/docs-content/security-bulletins/security-bulletins.md index b005bae912..148d3b6240 100644 --- a/docs/docs-content/security-bulletins/security-bulletins.md +++ b/docs/docs-content/security-bulletins/security-bulletins.md @@ -9,26 +9,24 @@ sidebar_custom_props: tags: ["security", "cve"] --- -The following are security advisories for Palette and other Spectro Cloud-related resources. +We aim to provide you with the most up-to-date information about the security of our products and services. No matter +how carefully engineered the services are, from time to time, it may be necessary to notify you of security and privacy +events with our services, including the security notifications we receive related to the third-party components we +utilize in our products and services. -Our security advisories follow the -[CVSS standards](https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale). +## Security Bulletins -| Rating | CVSS Score | -| -------- | ---------- | -| None | 0.0 | -| Low | 0.1 - 3.9 | -| Medium | 4.0 - 6.9 | -| High | 7.0 - 8.9 | -| Critical | 9.0 - 10.0 | +We release [security bulletins](./reports/reports.md) on a monthly and ad-hoc basis addressing security vulnerabilities +in our software or related third-party components, describing their remediation when available, and providing links to +the applicable updates for affected software when available. -You can review Common Vulnerabilities and Exposures (CVE) for Palette in [CVE Reports](cve-reports.md). An index of all -Palette-related CVEs is availaable in the [CVE Index](cve-index.md). +## Security Advisories -## Resources - -- [CVE Reports](cve-reports.md) +Security Advisories are a supplement to the Security Bulletins. They address security changes that may not require a +security bulletin but may still affect our customers' overall security. Security Advisories are a way for us to +communicate security information to you about issues that may not be classified as vulnerabilities and may not require a +security bulletin. -- [CVE Index](cve-index.md) +## Resources -
+- [Security Bulletins](./reports/reports.md) diff --git a/docs/docs-content/security/security.md b/docs/docs-content/security/security.md index a6c2d51314..94b2325531 100644 --- a/docs/docs-content/security/security.md +++ b/docs/docs-content/security/security.md @@ -18,7 +18,7 @@ our software and services. :::tip -You can find all security bulletins in the [Security Bulletins](../security-bulletins/cve-reports.md) section. +You can find all security bulletins in the [Security Bulletins](../security-bulletins/security-bulletins.md) section. ::: diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/unlisted/cve-reports.md similarity index 99% rename from docs/docs-content/security-bulletins/cve-reports.md rename to docs/docs-content/unlisted/cve-reports.md index 64389b3e3b..d9d17b5025 100644 --- a/docs/docs-content/security-bulletins/cve-reports.md +++ b/docs/docs-content/unlisted/cve-reports.md @@ -1,12 +1,13 @@ --- -sidebar_label: "CVE Reports" -title: "CVE Reports" +sidebar_label: "CVE Index" +title: "CVE Index" description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette" icon: "" hide_table_of_contents: false -sidebar_position: 0 -toc_max_heading_level: 2 +sidebar_position: 10 +slug: "index" tags: ["security", "cve"] +unlisted: true --- # Security Bulletins diff --git a/redirects.js b/redirects.js index 6738f7ee99..5d4dc94cba 100644 --- a/redirects.js +++ b/redirects.js @@ -466,7 +466,6 @@ const redirects = [ from: "/user-management/palette-resource-limits/", to: "/tenant-settings/palette-resource-limits/", }, - // Redirects for tutorials that were removed from docs { from: "/registries-and-packs/deploy-pack", @@ -488,6 +487,14 @@ const redirects = [ from: "/clusters/edge/site-deployment/deploy-cluster", to: "/tutorials/edge/deploy-cluster", }, + { + from: "/security-bulletins/index/", + to: "/unlisted/index/", + }, + { + from: "/security-bulletins/cve-reports/", + to: "/security-bulletins/reports/", + }, ]; module.exports = redirects;