Skip to main content

Security Bulletins

July 3, 2024 - CVE-2024-6387 OpenSSH Remote Access - 8.1 CVSS

A security regression was discovered in the OpenSSH's server daemon, SSHD. A race condition can lead to SSHD handling some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger the vulnerability by failing to authenticate within a set period.

Impact

This vulnerability affects self-hosted Palette instances, Private Cloud Gateways (PCG), and workload clusters deployed using Ubuntu 22.04. VerteX deployments which uses Ubuntu 20.04 are not affected.

Patches

An upcoming Palette release will include the Operating System (OS) patch for this vulnerability.

Workarounds

Self-hosted instances of Palette can be manually updated with the OS security patches. Workload clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.

References


June 3, 2024 - CVE-2024-23652 BuildKit Vulnerability - 9.1 CVSS

A vulnerability found in BuildKit can potentially allow malicious BuildKit frontends and Dockerfiles to remove files from the host system outside the container by using the RUN --mount command.

Impact

No impact. Palette and VerteX do not use the impacted symbol.

Patches

Not applicable.

Workarounds

Not applicable.

References


June 3, 2024 - CVE-2024-23653 BuildKit Interactive Container API Does Not Validate Privileges - 9.8 CVSS

A vulnerability was found in the BuildKit API for deployed interactive containers. In addition to active containers as build steps, the API allowed active containers with elevated privileges.

Impact

No impact. Palette and VerteX do not use the impacted symbol.

Patches

Not applicable.

Workarounds

Not applicable.

References


June 3, 2024 - CVE-2023-49569 Path Traversal and RCE Vulnerability in Go-Git Versions Before v5.11 - 9.8 CVSS

A path traversal vulnerability discovered in Go-Git can allow attackers to create and amend files across the file system and, potentially, remotely execute malicious code. Only those applications that use ChrootOS are affected.

This is a Go-Git implementation vulnerability, and it does not affect the upstream git CLI.

Impact

No impact. Palette and VerteX do not use the impacted symbols.

Patches

Not applicable.

Workarounds

Not applicable.

References


April 14, 2024 - CVE-2023-24534 HTTP and MIME Header Parsing Can Allocate Large Amounts of Memory - 7.5 CVSS

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers.

An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With the fix, header parsing now correctly allocates only the memory required to hold parsed headers.

Impact

Low.

Patches

Palette and VerteX version 4.3.0 include the security patch for the vulnerability.

Workarounds

Not applicable.

References


April 14, 2024 - CVE-2023-24536 MIME/Multipart Form Parsing Can Consume Large Amounts of CPU and Memory - 7.5 CVSS

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing large numbers of parts. This can be caused by several reasons:

  • mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended.
  • Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.
  • ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.

The combination of these factors can allow an attacker to cause a program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm and form parsing in the net/http package with the request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With the fix, ReadForm now better estimates the memory consumption of parsed forms and performs fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms:

  • Forms parsed with ReadForm may contain no more than 1000 parts. This limit can be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  • Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

Impact

Low.

Patches

Palette and VerteX version 4.3.0 include the security patch for the vulnerability.

Workarounds

Not applicable.

References


April 14, 2024 - CVE-2023-26159 Improper Input Validation Due to Improper Handling of URLs - 6.1 CVSS

Versions of the follow-redirects package prior to 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Impact

Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.

Patches

Palette and VerteX version 4.3.0 include the security patch for the vulnerability.

Workarounds

Not applicable.

References


April 14, 2024 - CVE-2023-5764 Ansible Template Injection Vulnerability - 7.8 CVSS

A template injection flaw was found in Ansible. It occurs when internal templating operations of a user's controller remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.

Impact

No impact. The Palette node agent service does not accept or parse any provided user data.

Patches

Palette and VerteX version 4.3.0 include the security patch for the vulnerability.

Workarounds

Not applicable.

References


April 14, 2024 - CVE-2023-42282 SSRF Vulnerability in Node.js - 9.8 CVSS

Node.js IP packages before version 1.1.9 may allow Server-Side Request Forgery (SSRF). This might happen because certain IP addresses, such as 0x7f.1, are improperly categorized as globally routable by the isPublic function.

Impact

Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.

Patches

Palette and VerteX version 4.3.0 include the security patch for the vulnerability.

Workarounds

Not applicable.

References


April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS

Malicious code was discovered in the upstream tarballs of the XZ utility, starting with version 5.6.0, contain malicious code. This code is hidden within a test file in the source code and is extracted by the liblzma build process. The code then modifies specific functions in the liblzma library, resulting in a modified version of the library. Any software that links against this modified library may have its data interaction intercepted and modified. You can learn more about the vulnerability in the CVE-2024-3094 reference page.

Impact

No impact. None of the OS distributions supported by Palette use the impacted versions of the XZ utils package. Below are the links to the security advisories for all the Palette supported OS distributions:

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS

Line directives //line can be used to bypass the restrictions on //go:cgo_ directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when issuing the command go build. The line directive requires the absolute path of the file in which the directive resides, which makes exploiting this issue significantly more complex.

Impact

No impact. This is not a runtime issue and we do not compile untrusted code.

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2023-45283 Filepath Package and Special Prefixes - 7.5 CVSS

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device (RDL) path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x.

Before the fix, the Clean function could convert a rooted path such as \a\..\??\b into the RDL path \??\b. Clean will now convert this to .\??\b. Similarly, before the fix, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the RDL path ??\b. Join will now convert this to \.\??\b.

In the fix version, the function IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name.

Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ among other effects. The previous expected behavior has been restored in the new version releases.

Impact

No impact. This only impacts Windows and Palette does not use Windows operating systems for runtime operations.

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2023-45285 Insecure Fetching of Go Modules - 7.5 CVSS

Using the command go get to fetch a module with the .git suffix may unexpectedly fallback to the insecure git:// protocol if the module is unavailable via the secure https:// and git+ssh:// protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly and bypassing the Go proxy with GOPROXY=off.

Impact

No impact. This is not a runtime issue and we do not use any dependent module with .git suffix.

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2023-39325 Excessive Server Resource Consumption - 7.5 CVSS

A malicious HTTP/2 client that rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers are now bound by the number of simultaneously executing handler goroutines to the stream concurrency limit MaxConcurrentStreams.

If a client sends a new request when the server is already processing the maximum number of requests, the new request will be queued and wait for a handler to become available. However, if the queue of pending requests grows too large, the server will terminate the connection. This will happen only after the client has reset an existing request that is still being processed by the server.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams requests per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package. Refer to the Server.MaxConcurrentStreams setting and the ConfigureServer function for more details.

Impact

All Palette and VerteX releases prior to version 4.2.0 are impacted. The impact is largely mitigated as Palette and VerteX already have IP address based rate limit.

Patches

Palette and VerteX version 4.1.0 includes the fix for all the services using the HTTP/2 protocol.

Workarounds

No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.

References


January 10, 2024 - CVE-2023-5363 Potential Truncation of Symmetric Ciphers - 7.5 CVSS

A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

Impact

Not Applicable. Impacting symbols defined in the CVE are not used.

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2019-0190 Denial of service - 7.5 CVSS

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Impact

Not Applicable. Apache HTTP server with OpenSSL 1.1.1 or later is not used.

Patches

Not Applicable

Workarounds

Not Applicable

References


January 10, 2024 - CVE-2022-4886 Nginx Path Sanitization Bypass - 8.8 CVSS

The Kubernetes ingress-nginx controller path sanitization feature can be bypassed with the log_format directive.

Impact

No impact on Palette SaaS, self-hosted Palette, or VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.

Patches

No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.8.0. The Nginx ingress controller pack is available with a newer version v1.9.4. The newer version has enable-annotation-validation set to true by default.

Workarounds

Starting with Nginx version v1.8.0, ingress administrators can set the --strict-validate-path-type flag to true to validate ingress rules having pathType as "Exact" or "Prefix". If the pathType is ImplementationSpecific then an admission controller policy is required to filter out the malicious path. Check out the OpenPolicyAgent and pathType enforcing documentation for more information.

Tenant clusters using older Nginx ingress controller packs can upgrade to version v1.9.4 which has strict-validate-path-type set to true by default.

References


January 10, 2024 - CVE-2023-5043 Ingress Nginx Annotation Injection - 8.8 CVSS

The Kubernetes ingress-nginx controller annotations can be used to inject arbitrary commands that are later executed.

Impact

No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.

Patches

No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.9.0. The Nginx ingress controller pack is available with a newer version v1.9.4. The new version has enable-annotation-validation set to true by default.

Workarounds

Starting with Nginx version v1.9.0, Ingress administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress controller pack versions can upgrade the pack to version 1.9.4 which has enable-annotation-validation set to true by default.

References


January 10, 2024 - CVE-2023-5044 Ingress Nginx Annotation Injection - 8.8 CVSS

The Kubernetes ingress-nginx controller nginx.ingress.kubernetes.io/permanent-redirect annotation can be used to inject arbitrary commands that are later executed.

Impact

No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using nginx ingress controller pack with versions older than v1.8.0 may be impacted if they are expose the ability for end users to create or update ingress objects.

Patches

No fix is available yet, but there is a remediation available starting with Nginx ingress controller version 1.9.0. The Nginx ingress controller pack is available with version v1.9.4. The newer version has enable-annotation-validation set to true by default.

Workarounds

Starting with Nginx version 1.9.0, ingress administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress controller packs can upgrade to version v1.9.4 which has enable-annotation-validation set to true by default.

References


October 17, 2023 - CVE-2023-4911 Buffer Overflow in Dynamic Loader - 7.8 CVSS

A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Impact

All internal Palette and VerteX microservices are not impacted as the binaries are compiled using musl. This vulnerability, from an OS perspective, cannot be exploited without a remote code execution exploit.

Patches

Palette version 4.1.0 includes the security patch for the vulnerability.

Workarounds

Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.

References


October 11, 2023 - CVE-2023-44487 HTTP/2 Denial of Service - 7.5 CVSS

The HTTP/2 protocol may be used to create a denial of service and cause a server to exhaust all of its allocated resources. A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.

Impact

All Palette and VerteX releases prior to version 4.1.0 are impacted. The impact is largely mitigated as Palette and VerteX already has IP address based rate limit.

Patches

Palette and VerteX version 4.1.0 includes the fix for all the services using HTTP/2 protocol.

Workarounds

No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.

References


October 6, 2023 - CVE-2023-32002 NodeJS Modules Policy Bypass - 9.8 CVSS

The use of the Module library's Module._load() function can be used to bypass the defined policy mechanism and require external modules not defined in the policy.json file for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Impact

No impact since the impacted function is not used by Palette.

Patches

Not Applicable

Workarounds

Not Applicable

References

-- CVE-2023-32002


September 25, 2023 - CVE-2023-42810 - NodeJS SSID Command Injection Vulnerability - 9.8 CVSS

The NodeJS system information library, systeminformation, has an SSID command injection vulnerability. The affected versions are v5.0.0 to v5.21.6. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks().

Impact

No impact since the impacted functions are not used.

Patches

Not Applicable

Workarounds

Not Applicable

References


September 25, 2023 - CVE-2023-4863 Libwebp Programs Terminations - 8.8 CVSS

A heap buffer overflow in the library, libwebp, allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This vulerability is present with the combination of Google Chrome prior to versions 116.0.5845.187 with libwebp version 1.3.2. This is Chromium security severity that is marked as Critical.

Impact

No impact since libwebp is not used on any of the Palette container images. This vulnerability, from an OS perspective OS, a cannot be exploited without a remote code execution exploit.

Patches

Release 4.1.0 of self-hosted Palette and VerteX deployment include the security patch for the CVE.

Workarounds

Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.

References


September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS

The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment variables SUDO_EDITOR, VISUAL, and EDITOR when the sudoedit command is executed.

The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain the -- argument that defeats a protection mechanism. For example, an attacker may issue the following command EDITOR='vim -- /path/to/extra/file value.

Impact

This vulnerability affects the following Palette components:

  • Self-hosted Palette instances with versions older than 4.0.0

  • Private Cloud Gateways instances with versions older than 4.0.0

  • Clusters deployed with Palette versions older than 4.0.0

Patches

For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the OS.

Workarounds

For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.


References


September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS

The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder /usr/lib may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for CVE-2016-10009.

Impact

This vulnerability affects the following Palette components:

  • Self-hosted Palette instances with versions older than 4.0.0

  • Private Cloud Gateways instances with versions older than 4.0.0

  • Clusters deployed with Palette versions older than 4.0.0

Patches

  • For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).

Workarounds

  • For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.

References


September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS

When using Go templates with actions in unquoted HTML attributes, such as attr={{.}}, unexpected output may occur due to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into tags.

Impact

No impact. We use the Go package html/template and our HTML templates are static. Our templates do not contain characters mentioned in the CVE. We also do not accept or parse any provided user data

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS

Angle brackets <> are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go templates containing multiple actions separated by a / character can result in unexpectedly closing the CSS context and allowing for the injection of unexpected HTML if executed with untrusted input.

Impact

No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS

Go templates do not consider backticks as a Javascript string delimiter and, as a result, do not escape them as expected. Backticks have been used since ES6 for JS template literals. If a Go template contains an action within a literal Javascript template, the action's contents can be used to terminate the literal and potentially inject arbitrary Javascript code into the Go template.

Go template actions are disallowed from being used inside of them, for example, "var a = {{.}}" since there is no safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix, Template.Parse() returns an error when it encounters templates containing actions with literal JavaScript. The ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1 with the caveat that backticks will now be escaped.

Impact

No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.

Affected Products

Not applicable.

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS

The go command can execute any code during the build process when using cgo. This can happen when using go get command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags specified through the #cgo LDFLAGS directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to be used with gc and gccgo compilers.

Impact

No impact. This is not a runtime issue and we do not compile untrusted code.

Affected Products

Not applicable.

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS

The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters in their names. Go modules retrieved using the command go get are unaffected. Modules retrieved using the legacy module retrieve method with the environment variables GOPATH and GO111MODULE=off may be affected.

Impact

No impact. This is not a runtime issue and we do not compile untrusted code.

Affected Products

Not applicable.

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS

The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the command go get is issued on a malicious module or when using any other command that builds untrusted code. This can be triggered by linker flags specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are mishandled, and disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects the gccgo compiler.

Impact

No impact. This is not a runtime issue and we do not compile untrusted code.

Affected Products

Not applicable.

Patches

Not applicable.

Workarounds

Not applicable.

References


September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS

Not all valid JavaScript whitespace characters are considered to be whitespace. JavaScript templates containing whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 may not be properly sanitized during execution.

Impact

No impact - We use the Go package html/template but our HTML templates are static. We also do not accept or parse any provided user data.

Patches

Not applicable.

Workarounds

Not applicable.

References


March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS

A security vulnerability in sudo -e option (aka sudoedit) allows a malicious user with sudoedit privileges to edit arbitrary files. The Palette container palette-controller-manager:mold-manager incorporates a sudo version affected by sudoers policy bypass in sudo when using sudoedit.

All versions of Palette before v2.6.70 are affected.

Impact

A local user with permission to edit files can use this flaw to change a file not permitted by the security policy, resulting in privilege escalation.

Resolution

  • For Palette SaaS, this has been addressed and requires no user action.
  • For ​​Palette self-hosted deployments, please upgrade to newer versions greater than or equal to v2.6.70 to address the reported vulnerability.

Workarounds

None.

References


August 4, 2022 - CVE-2022-1292 c_rehash script vulnerability in vSphere CSI pack - 9.8 CVSS

On May 3 2022, OpenSSL published a security advisory disclosing a command injection vulnerability in the c_rehash script included with the OpenSSL library. Some operating systems automatically execute this script as a part of normal operations, which could allow an attacker to execute arbitrary commands with elevated privileges.

Palette is not directly affected by this vulnerability. However, if your cluster profile is using the vSphere CSI pack, version v2.3 or below, it contains a vulnerable version of the c_rehash script.

Impact

The c_rehash script does not sanitize shell metacharacters properly to prevent command injection. This script is distributed by some operating systems, and by extension, in container images, in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

Resolution

This vulnerability has been addressed in the vSphere CSI pack greater than or equal to version v2.6.

Workarounds

Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. Apply the updated cluster profile changes to all clusters consuming the cluster profile.

References