Security Bulletin Changes #3120
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
karl-cardenas-coding
added
backport-version-4-0
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | | ||
| | [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CCVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'coredns'?
|
|
||
| # CVE Details | ||
|
|
||
| We provide the most up-to-date information below. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | | ||
| | [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | -------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------ | ------- | | ||
| | [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
|
|
||
| # CVE Details | ||
|
|
||
| We provide the most up-to-date information below. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| # CVE Details | ||
|
|
||
| We provide the most up-to-date information below. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | | ||
| | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'GENERAL_NAME_cmp'?
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | --------------------------------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ------- | | ||
| | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| @@ -9,26 +9,24 @@ sidebar_custom_props: | |||
| tags: ["security", "cve"] | |||
| --- | |||
|
|
|||
| The following are security advisories for Palette and other Spectro Cloud-related resources. | |||
| We aim to provide you with the most up-to-date information about the security of our products and services. No matter | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| | Medium | 4.0 - 6.9 | | ||
| | High | 7.0 - 8.9 | | ||
| | Critical | 9.0 - 10.0 | | ||
| We release [security bulletins](./reports/reports.md) on a monthly and ad-hoc basis addressing security vulnerabilities |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| | CVE ID | Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | CVSS Severity | Status | | ||
| | ----------------------------------------------- | ---------------- | ------------- | -------------------------- | --------------------------------------- | -------------------------------------------------------- | ------------- | | ||
| | [CVE-2023-52425](./cve-2023-52425.md) | 02/04/2024 | 06/14/2024 | Palette 4.4.8 | Third-party component: vSphere-CSI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | :mag: Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '02/04/2024'.
|
|
||
| | CVE ID | Initial Pub Date | Modified Date | Impacted Product & Version | Vulnerability Type | CVSS Severity | Status | | ||
| | ----------------------------------------------- | ---------------- | ------------- | -------------------------- | --------------------------------------- | -------------------------------------------------------- | ------------- | | ||
| | [CVE-2023-52425](./cve-2023-52425.md) | 02/04/2024 | 06/14/2024 | Palette 4.4.8 | Third-party component: vSphere-CSI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | :mag: Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '06/14/2024'.
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| | [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| | [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'reparsings'?
|
|
||
| | CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | | ||
| | ----------------------------------------------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------ | ------- | | ||
| | [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
vault-token-factory-spectrocloud bot
pushed a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae (cherry picked from commit 9bbd508)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
vault-token-factory-spectrocloud bot
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae (cherry picked from commit 9bbd508) Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com>
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
This was referenced Jul 17, 2024
Merged
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
karl-cardenas-coding
added a commit
that referenced
this pull request
Jul 17, 2024
* docs: DOC-1241 * docs: draft * chore: updated with link * docs: updated disclosures * docs: updated * chore: updated * docs: updated * docs: updates * chore: updates * chore: fix * chore: missing URLs * chore: updated prettier to exclude cve-page * chore: added N/A versus leaving blank * docs: updated CVEs * docs: update * docs: added airgap * docs: fixed minor issue * docs: fix broken URL * docs: updated intro langugae
Merged
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the Change
This PR updates the security bulletin index page.
Changed Pages
💻 Preview URL for Page
Jira Tickets
🎫 DOC-1241
Backports
Can this PR be backported?