-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Bulletin Changes #3120
Conversation
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | | ||
| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CCVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'coredns'?
|
||
# CVE Details | ||
|
||
We provide the most up-to-date information below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | | ||
| [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | | ||
| [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
|
||
# CVE Details | ||
|
||
We provide the most up-to-date information below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
||
# CVE Details | ||
|
||
We provide the most up-to-date information below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | | ||
| [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'GENERAL_NAME_cmp'?
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | | ||
| [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
@@ -9,26 +9,24 @@ sidebar_custom_props: | |||
tags: ["security", "cve"] | |||
--- | |||
|
|||
The following are security advisories for Palette and other Spectro Cloud-related resources. | |||
We aim to provide you with the most up-to-date information about the security of our products and services. No matter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| Medium | 4.0 - 6.9 | | ||
| High | 7.0 - 8.9 | | ||
| Critical | 9.0 - 10.0 | | ||
We release [security bulletins](./reports/reports.md) on a monthly and ad-hoc basis addressing security vulnerabilities |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
||
| CVE ID | Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | CVSS Severity | Status | | ||
| ----------------------------------------------- | ---------------- | ------------- | -------------------------- | --------------------------------------- | -------------------------------------------------------- | ------------- | | ||
| [CVE-2023-52425](./cve-2023-52425.md) | 02/04/2024 | 06/14/2024 | Palette 4.4.8 | Third-party component: vSphere-CSI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | :mag: Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '02/04/2024'.
|
||
| CVE ID | Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | CVSS Severity | Status | | ||
| ----------------------------------------------- | ---------------- | ------------- | -------------------------- | --------------------------------------- | -------------------------------------------------------- | ------------- | | ||
| [CVE-2023-52425](./cve-2023-52425.md) | 02/04/2024 | 06/14/2024 | Palette 4.4.8 | Third-party component: vSphere-CSI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | :mag: Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '06/14/2024'.
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'reparsings'?
|
||
| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae (cherry picked from commit 9bbd508)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae (cherry picked from commit 9bbd508) Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com>
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
Describe the Change
This PR updates the security bulletin index page.
Changed Pages
💻 Preview URL for Page
Jira Tickets
🎫 DOC-1241
Backports
Can this PR be backported?