Security Bulletins
April 14, 2024 - CVE-2023-24534 HTTP and MIME Header Parsing Can Allocate Large Amounts of Memory - 7.5 CVSS
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers.
An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With the fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Impact
Low.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-24536 MIME/Multipart Form Parsing Can Consume Large Amounts of CPU and Memory - 7.5 CVSS
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing large numbers of parts. This can be caused by several reasons:
mime/multipart.Reader.ReadFormlimits the total memory a parsed multipart form can consume.ReadFormcan undercount the amount of memory consumed, leading it to accept larger inputs than intended.- Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.
ReadFormcan allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.
The combination of these factors can allow an attacker to cause a program that parses multipart forms to consume large
amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use
mime/multipart.Reader.ReadForm and form parsing in the net/http package with the request methods FormFile,
FormValue, ParseMultipartForm, and PostFormValue. With the fix, ReadForm now better estimates the memory
consumption of parsed forms and performs fewer short-lived allocations. In addition, the fixed mime/multipart.Reader
imposes the following limits on the size of parsed forms:
- Forms parsed with
ReadFormmay contain no more than 1000 parts. This limit can be adjusted with the environment variableGODEBUG=multipartmaxparts=. - Form parts parsed with
NextPartandNextRawPartmay contain no more than 10,000 header fields. In addition, forms parsed withReadFormmay contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variableGODEBUG=multipartmaxheaders=.
Impact
Low.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-26159 Improper Input Validation Due to Improper Handling of URLs - 6.1 CVSS
Versions of the follow-redirects package prior to 1.15.4 are vulnerable to Improper Input Validation due to the
improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to
misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially
leading to information disclosure, phishing attacks, or other security breaches.
Impact
Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-5764 Ansible Template Injection Vulnerability - 7.8 CVSS
A template injection flaw was found in Ansible. It occurs when internal templating operations of a user's controller remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.
Impact
No impact. The Palette node agent service does not accept or parse any provided user data.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-42282 SSRF Vulnerability in Node.js - 9.8 CVSS
Node.js IP packages before version 1.1.9 may allow Server-Side Request Forgery (SSRF). This might happen because certain
IP addresses, such as 0x7f.1, are improperly categorized as globally routable by the isPublic function.
Impact
Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS
Malicious code was discovered in the upstream tarballs of the XZ utility, starting with version 5.6.0, contain malicious code. This code is hidden within a test file in the source code and is extracted by the liblzma build process. The code then modifies specific functions in the liblzma library, resulting in a modified version of the library. Any software that links against this modified library may have its data interaction intercepted and modified. You can learn more about the vulnerability in the CVE-2024-3094 reference page.
Impact
No impact. None of the OS distributions supported by Palette use the impacted versions of the XZ utils package. Below are the links to the security advisories for all the Palette supported OS distributions:
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS
Line directives //line can be used to bypass the restrictions on //go:cgo_ directives, allowing blocked linker and
compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when issuing
the command go build. The line directive requires the absolute path of the file in which the directive resides, which
makes exploiting this issue significantly more complex.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-45283 Filepath Package and Special Prefixes - 7.5 CVSS
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\
is a Root Local Device (RDL) path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to
access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x.
Before the fix, the Clean function could convert a rooted path such as \a\..\??\b into the RDL path \??\b. Clean
will now convert this to .\??\b. Similarly, before the fix, Join(\, ??, b) could convert a seemingly innocent
sequence of path elements into the RDL path ??\b. Join will now convert this to \.\??\b.
In the fix version, the function IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName
correctly reports the \??\ prefix as a volume name.
Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?,
resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ among other effects. The previous expected
behavior has been restored in the new version releases.
Impact
No impact. This only impacts Windows and Palette does not use Windows operating systems for runtime operations.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-45285 Insecure Fetching of Go Modules - 7.5 CVSS
Using the command go get to fetch a module with the .git suffix may unexpectedly fallback to the insecure git://
protocol if the module is unavailable via the secure https:// and git+ssh:// protocols, even if GOINSECURE is not
set for said module. This only affects users who are not using the module proxy and are fetching modules directly and
bypassing the Go proxy with GOPROXY=off.
Impact
No impact. This is not a runtime issue and we do not use any dependent module with .git suffix.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-39325 Excessive Server Resource Consumption - 7.5 CVSS
A malicious HTTP/2 client that rapidly creates requests and immediately resets them can cause excessive server resource
consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting
an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers are now bound by the number of simultaneously executing handler goroutines to the
stream concurrency limit MaxConcurrentStreams.
If a client sends a new request when the server is already processing the maximum number of requests, the new request will be queued and wait for a handler to become available. However, if the queue of pending requests grows too large, the server will terminate the connection. This will happen only after the client has reset an existing request that is still being processed by the server.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency
limit is 250 streams requests per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2
package. Refer to the Server.MaxConcurrentStreams setting and the ConfigureServer function for more details.
Impact
All Palette and VerteX releases prior to version 4.2.0 are impacted. The impact is largely mitigated as Palette and VerteX already have IP address based rate limit.
Patches
Palette and VerteX version 4.1.0 includes the fix for all the services using the HTTP/2 protocol.
Workarounds
No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.
References
January 10, 2024 - CVE-2023-5363 Potential Truncation of Symmetric Ciphers - 7.5 CVSS
A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.
Impact
Not Applicable. Impacting symbols defined in the CVE are not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2019-0190 Denial of service - 7.5 CVSS
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted
request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with
Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.
Impact
Not Applicable. Apache HTTP server with OpenSSL 1.1.1 or later is not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2022-4886 Nginx Path Sanitization Bypass - 8.8 CVSS
The Kubernetes ingress-nginx controller path sanitization feature can be
bypassed with the log_format directive.
Impact
No impact on Palette SaaS, self-hosted Palette, or VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.8.0. The Nginx
ingress controller pack is available with a newer version v1.9.4. The newer version has enable-annotation-validation
set to true by default.
Workarounds
Starting with Nginx version v1.8.0, ingress administrators can set the --strict-validate-path-type flag to true to
validate ingress rules having pathType as "Exact" or "Prefix". If the pathType is ImplementationSpecific then an
admission controller policy is required to filter out the malicious path. Check out the
OpenPolicyAgent and pathType enforcing
documentation for more information.
Tenant clusters using older Nginx ingress controller packs can upgrade to version v1.9.4 which has
strict-validate-path-type set to true by default.
References
January 10, 2024 - CVE-2023-5043 Ingress Nginx Annotation Injection - 8.8 CVSS
The Kubernetes ingress-nginx controller annotations can be used to inject arbitrary commands that are later executed.
Impact
No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.9.0. The Nginx
ingress controller pack is available with a newer version v1.9.4. The new version has enable-annotation-validation set
to true by default.
Workarounds
Starting with Nginx version v1.9.0, Ingress administrators should set the --enable-annotation-validation flag to
enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress
controller pack versions can upgrade the pack to version 1.9.4 which has enable-annotation-validation set to true by
default.
References
January 10, 2024 - CVE-2023-5044 Ingress Nginx Annotation Injection - 8.8 CVSS
The Kubernetes ingress-nginx controller
nginx.ingress.kubernetes.io/permanent-redirect annotation can be used to inject arbitrary commands that are later
executed.
Impact
No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using nginx ingress controller pack with versions older than v1.8.0 may be impacted if they are expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller version 1.9.0. The
Nginx ingress controller pack is available with version v1.9.4. The newer version has enable-annotation-validation set
to true by default.
Workarounds
Starting with Nginx version 1.9.0, ingress administrators should set the --enable-annotation-validation flag to
enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress
controller packs can upgrade to version v1.9.4 which has enable-annotation-validation set to true by default.
References
October 17, 2023 - CVE-2023-4911 Buffer Overflow in Dynamic Loader - 7.8 CVSS
A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES
environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment
variables when launching binaries with SUID permission to execute code with elevated privileges.
Impact
All internal Palette and VerteX microservices are not impacted as the binaries are compiled using musl. This vulnerability, from an OS perspective, cannot be exploited without a remote code execution exploit.
Patches
Palette version 4.1.0 includes the security patch for the vulnerability.
Workarounds
Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.
References
October 11, 2023 - CVE-2023-44487 HTTP/2 Denial of Service - 7.5 CVSS
The HTTP/2 protocol may be used to create a denial of service and cause a server to exhaust all of its allocated resources. A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.
Impact
All Palette and VerteX releases prior to version 4.1.0 are impacted. The impact is largely mitigated as Palette and VerteX already has IP address based rate limit.
Patches
Palette and VerteX version 4.1.0 includes the fix for all the services using HTTP/2 protocol.
Workarounds
No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.
References
October 6, 2023 - CVE-2023-32002 NodeJS Modules Policy Bypass - 9.8 CVSS
The use of the Module library's Module._load() function can be used to bypass the defined policy mechanism and require
external modules not defined in the policy.json file for a given module. This vulnerability affects all users using
the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Note that at the time this CVE was
issued, the policy is an experimental feature of Node.js.
Impact
No impact since the impacted function is not used by Palette.
Patches
Not Applicable
Workarounds
Not Applicable
References
September 25, 2023 - CVE-2023-42810 - NodeJS SSID Command Injection Vulnerability - 9.8 CVSS
The NodeJS system information library, systeminformation, has an SSID command injection vulnerability. The affected
versions are v5.0.0 to v5.21.6. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check
or sanitize parameter strings that are passed to wifiConnections(), wifiNetworks().
Impact
No impact since the impacted functions are not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
September 25, 2023 - CVE-2023-4863 Libwebp Programs Terminations - 8.8 CVSS
A heap buffer overflow in the library, libwebp, allows a remote attacker to perform an out of bounds memory write via
a crafted HTML page. This vulerability is present with the combination of Google Chrome prior to versions 116.0.5845.187
with libwebp version 1.3.2. This is Chromium security severity that is marked as Critical.
Impact
No impact since libwebp is not used on any of the Palette container images. This vulnerability, from an OS perspective
OS, a cannot be exploited without a remote code execution exploit.
Patches
Release 4.1.0 of self-hosted Palette and VerteX deployment include the security patch for the CVE.
Workarounds
Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS
The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment
variables SUDO_EDITOR, VISUAL, and EDITOR when the sudoedit command is executed.
The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to
privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor
may contain the -- argument that defeats a protection mechanism. For example, an attacker may issue the following
command EDITOR='vim -- /path/to/extra/file value.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the OS.
Workarounds
For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS
The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder /usr/lib may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for CVE-2016-10009.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
- For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
Workarounds
- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
When using Go templates with actions in unquoted HTML attributes, such as attr={{.}}, unexpected output may occur due
to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into
tags.
Impact
No impact. We use the Go package html/template and our HTML templates are static. Our templates do not contain characters mentioned in the CVE. We also do not accept or parse any provided user data
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
Angle brackets <> are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go
templates containing multiple actions separated by a / character can result in unexpectedly closing the CSS context
and allowing for the injection of unexpected HTML if executed with untrusted input.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS
Go templates do not consider backticks as a Javascript string delimiter and, as a result, do not escape them as expected. Backticks have been used since ES6 for JS template literals. If a Go template contains an action within a literal Javascript template, the action's contents can be used to terminate the literal and potentially inject arbitrary Javascript code into the Go template.
Go template actions are disallowed from being used inside of them, for example, "var a = {{.}}" since there is no safe
way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix,
Template.Parse() returns an error when it encounters templates containing actions with literal JavaScript. The
ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21.
Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1 with the caveat that
backticks will now be escaped.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS
The go command can execute any code during the build process when using cgo. This can happen when using go get
command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags
specified through the #cgo LDFLAGS directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to
be used with gc and gccgo compilers.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS
The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause
unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters
in their names. Go modules retrieved using the command go get are unaffected. Modules retrieved using the legacy
module retrieve method with the environment variables GOPATH and GO111MODULE=off may be affected.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS
The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the
command go get is issued on a malicious module or when using any other command that builds untrusted code. This can be
triggered by linker flags specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are mishandled, and
disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This
only affects the gccgo compiler.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS
Not all valid JavaScript whitespace characters are considered to be whitespace. JavaScript templates containing
whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 may not be properly sanitized during
execution.
Impact
No impact - We use the Go package html/template but our HTML templates are static. We also do not accept or parse any provided user data.
Patches
Not applicable.
Workarounds
Not applicable.
References
March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS
A security vulnerability in sudo -e option (aka sudoedit) allows a malicious user with sudoedit privileges to edit
arbitrary files. The Palette container palette-controller-manager:mold-manager incorporates a sudo version affected by
sudoers policy bypass in sudo when using sudoedit.
All versions of Palette before v2.6.70 are affected.
Impact
A local user with permission to edit files can use this flaw to change a file not permitted by the security policy, resulting in privilege escalation.
Resolution
- For Palette SaaS, this has been addressed and requires no user action.
- For Palette self-hosted deployments, please upgrade to newer versions greater than or equal to v2.6.70 to address the reported vulnerability.
Workarounds
None.
References
August 4, 2022 - CVE-2022-1292 c_rehash script vulnerability in vSphere CSI pack - 9.8 CVSS
On May 3 2022, OpenSSL published a security advisory disclosing a command injection vulnerability in the c_rehash
script included with the OpenSSL library. Some operating systems automatically execute this script as a part of normal
operations, which could allow an attacker to execute arbitrary commands with elevated privileges.
Palette is not directly affected by this vulnerability. However, if your cluster profile is using the vSphere CSI pack,
version v2.3 or below, it contains a vulnerable version of the c_rehash script.
Impact
The c_rehash script does not sanitize shell metacharacters properly to prevent command injection. This script is
distributed by some operating systems, and by extension, in container images, in a manner where it is automatically
executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Resolution
This vulnerability has been addressed in the vSphere CSI pack greater than or equal to version v2.6.
Workarounds
Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. Apply the updated cluster profile changes to all clusters consuming the cluster profile.