Security Bulletins
July 3, 2024 - CVE-2024-6387 OpenSSH Remote Access - 8.1 CVSS
A security regression was discovered in the OpenSSH's server daemon, SSHD. A race condition can lead to SSHD handling some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger the vulnerability by failing to authenticate within a set period.
Impact
This vulnerability affects self-hosted Palette instances, Private Cloud Gateways (PCG), and workload clusters deployed using Ubuntu 22.04. VerteX deployments which uses Ubuntu 20.04 are not affected.
Patches
An upcoming Palette release will include the Operating System (OS) patch for this vulnerability.
Workarounds
Self-hosted instances of Palette can be manually updated with the OS security patches. Workload clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.
References
June 3, 2024 - CVE-2024-23652 BuildKit Vulnerability - 9.1 CVSS
A vulnerability found in BuildKit can potentially allow malicious BuildKit frontends and Dockerfiles to remove files
from the host system outside the container by using the RUN --mount
command.
Impact
No impact. Palette and VerteX do not use the impacted symbol.
Patches
Not applicable.
Workarounds
Not applicable.
References
June 3, 2024 - CVE-2024-23653 BuildKit Interactive Container API Does Not Validate Privileges - 9.8 CVSS
A vulnerability was found in the BuildKit API for deployed interactive containers. In addition to active containers as build steps, the API allowed active containers with elevated privileges.
Impact
No impact. Palette and VerteX do not use the impacted symbol.
Patches
Not applicable.
Workarounds
Not applicable.
References
June 3, 2024 - CVE-2023-49569 Path Traversal and RCE Vulnerability in Go-Git Versions Before v5.11 - 9.8 CVSS
A path traversal vulnerability discovered in Go-Git can allow attackers to create and amend files across the file system and, potentially, remotely execute malicious code. Only those applications that use ChrootOS are affected.
This is a Go-Git implementation vulnerability, and it does not affect the upstream git CLI.
Impact
No impact. Palette and VerteX do not use the impacted symbols.
Patches
Not applicable.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-24534 HTTP and MIME Header Parsing Can Allocate Large Amounts of Memory - 7.5 CVSS
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers.
An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With the fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Impact
Low.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-24536 MIME/Multipart Form Parsing Can Consume Large Amounts of CPU and Memory - 7.5 CVSS
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing large numbers of parts. This can be caused by several reasons:
mime/multipart.Reader.ReadForm
limits the total memory a parsed multipart form can consume.ReadForm
can undercount the amount of memory consumed, leading it to accept larger inputs than intended.- Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts.
ReadForm
can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector.
The combination of these factors can allow an attacker to cause a program that parses multipart forms to consume large
amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use
mime/multipart.Reader.ReadForm
and form parsing in the net/http
package with the request methods FormFile
,
FormValue
, ParseMultipartForm
, and PostFormValue
. With the fix, ReadForm
now better estimates the memory
consumption of parsed forms and performs fewer short-lived allocations. In addition, the fixed mime/multipart.Reader
imposes the following limits on the size of parsed forms:
- Forms parsed with
ReadForm
may contain no more than 1000 parts. This limit can be adjusted with the environment variableGODEBUG=multipartmaxparts=
. - Form parts parsed with
NextPart
andNextRawPart
may contain no more than 10,000 header fields. In addition, forms parsed withReadForm
may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variableGODEBUG=multipartmaxheaders=
.
Impact
Low.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-26159 Improper Input Validation Due to Improper Handling of URLs - 6.1 CVSS
Versions of the follow-redirects
package prior to 1.15.4 are vulnerable to Improper Input Validation due to the
improper handling of URLs by the url.parse()
function. When new URL()
throws an error, it can be manipulated to
misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially
leading to information disclosure, phishing attacks, or other security breaches.
Impact
Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-5764 Ansible Template Injection Vulnerability - 7.8 CVSS
A template injection flaw was found in Ansible. It occurs when internal templating operations of a user's controller remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.
Impact
No impact. The Palette node agent service does not accept or parse any provided user data.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 14, 2024 - CVE-2023-42282 SSRF Vulnerability in Node.js - 9.8 CVSS
Node.js IP packages before version 1.1.9 may allow Server-Side Request Forgery (SSRF). This might happen because certain
IP addresses, such as 0x7f.1
, are improperly categorized as globally routable by the isPublic
function.
Impact
Low impact. The Palette management platform's MongoDB service sidecar is not exposed publicly and does not accept user input.
Patches
Palette and VerteX version 4.3.0 include the security patch for the vulnerability.
Workarounds
Not applicable.
References
April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS
Malicious code was discovered in the upstream tarballs of the XZ utility, starting with version 5.6.0, contain malicious code. This code is hidden within a test file in the source code and is extracted by the liblzma build process. The code then modifies specific functions in the liblzma library, resulting in a modified version of the library. Any software that links against this modified library may have its data interaction intercepted and modified. You can learn more about the vulnerability in the CVE-2024-3094 reference page.
Impact
No impact. None of the OS distributions supported by Palette use the impacted versions of the XZ utils package. Below are the links to the security advisories for all the Palette supported OS distributions:
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS
Line directives //line
can be used to bypass the restrictions on //go:cgo_
directives, allowing blocked linker and
compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when issuing
the command go build
. The line directive requires the absolute path of the file in which the directive resides, which
makes exploiting this issue significantly more complex.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-45283 Filepath Package and Special Prefixes - 7.5 CVSS
The filepath package does not recognize paths with a \??\
prefix as special. On Windows, a path beginning with \??\
is a Root Local Device (RDL) path equivalent to a path beginning with \\?\
. Paths with a \??\
prefix may be used to
access arbitrary locations on the system. For example, the path \??\c:\x
is equivalent to the more common path c:\x
.
Before the fix, the Clean
function could convert a rooted path such as \a\..\??\b
into the RDL path \??\b
. Clean
will now convert this to .\??\b
. Similarly, before the fix, Join(\, ??, b)
could convert a seemingly innocent
sequence of path elements into the RDL path ??\b. Join will now convert this to \.\??\b
.
In the fix version, the function IsAbs
now correctly reports paths beginning with \??\
as absolute, and VolumeName
correctly reports the \??\
prefix as a volume name.
Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?
,
resulting in filepath.Clean(\?\c:)
returning \?\c:
rather than \?\c:\
among other effects. The previous expected
behavior has been restored in the new version releases.
Impact
No impact. This only impacts Windows and Palette does not use Windows operating systems for runtime operations.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-45285 Insecure Fetching of Go Modules - 7.5 CVSS
Using the command go get
to fetch a module with the .git
suffix may unexpectedly fallback to the insecure git://
protocol if the module is unavailable via the secure https://
and git+ssh://
protocols, even if GOINSECURE
is not
set for said module. This only affects users who are not using the module proxy and are fetching modules directly and
bypassing the Go proxy with GOPROXY=off
.
Impact
No impact. This is not a runtime issue and we do not use any dependent module with .git
suffix.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2023-39325 Excessive Server Resource Consumption - 7.5 CVSS
A malicious HTTP/2 client that rapidly creates requests and immediately resets them can cause excessive server resource
consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams
setting, resetting
an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers are now bound by the number of simultaneously executing handler goroutines to the
stream concurrency limit MaxConcurrentStreams
.
If a client sends a new request when the server is already processing the maximum number of requests, the new request will be queued and wait for a handler to become available. However, if the queue of pending requests grows too large, the server will terminate the connection. This will happen only after the client has reset an existing request that is still being processed by the server.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency
limit is 250 streams requests per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2
package. Refer to the Server.MaxConcurrentStreams
setting and the ConfigureServer
function for more details.
Impact
All Palette and VerteX releases prior to version 4.2.0 are impacted. The impact is largely mitigated as Palette and VerteX already have IP address based rate limit.
Patches
Palette and VerteX version 4.1.0 includes the fix for all the services using the HTTP/2 protocol.
Workarounds
No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.
References
January 10, 2024 - CVE-2023-5363 Potential Truncation of Symmetric Ciphers - 7.5 CVSS
A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.
Impact
Not Applicable. Impacting symbols defined in the CVE are not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2019-0190 Denial of service - 7.5 CVSS
A bug exists in the way mod_ssl
handled client renegotiations. A remote attacker could send a carefully crafted
request that would cause mod_ssl
to enter a loop leading to a denial of service. This bug can be only triggered with
Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.
Impact
Not Applicable. Apache HTTP server with OpenSSL 1.1.1 or later is not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
January 10, 2024 - CVE-2022-4886 Nginx Path Sanitization Bypass - 8.8 CVSS
The Kubernetes ingress-nginx controller path sanitization feature can be
bypassed with the log_format
directive.
Impact
No impact on Palette SaaS, self-hosted Palette, or VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.8.0. The Nginx
ingress controller pack is available with a newer version v1.9.4. The newer version has enable-annotation-validation
set to true
by default.
Workarounds
Starting with Nginx version v1.8.0, ingress administrators can set the --strict-validate-path-type
flag to true
to
validate ingress rules having pathType
as "Exact" or "Prefix". If the pathType
is ImplementationSpecific
then an
admission controller policy is required to filter out the malicious path. Check out the
OpenPolicyAgent and pathType enforcing
documentation for more information.
Tenant clusters using older Nginx ingress controller packs can upgrade to version v1.9.4 which has
strict-validate-path-type
set to true
by default.
References
January 10, 2024 - CVE-2023-5043 Ingress Nginx Annotation Injection - 8.8 CVSS
The Kubernetes ingress-nginx controller annotations can be used to inject arbitrary commands that are later executed.
Impact
No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using the Nginx ingress controller pack with versions older than v1.8.0 may be impacted if they expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller v1.9.0. The Nginx
ingress controller pack is available with a newer version v1.9.4. The new version has enable-annotation-validation
set
to true
by default.
Workarounds
Starting with Nginx version v1.9.0, Ingress administrators should set the --enable-annotation-validation
flag to
enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress
controller pack versions can upgrade the pack to version 1.9.4 which has enable-annotation-validation
set to true
by
default.
References
January 10, 2024 - CVE-2023-5044 Ingress Nginx Annotation Injection - 8.8 CVSS
The Kubernetes ingress-nginx controller
nginx.ingress.kubernetes.io/permanent-redirect
annotation can be used to inject arbitrary commands that are later
executed.
Impact
No impact on Palette SaaS, self-hosted Palette and VerteX deployments. We do not allow end user to create or update ingress objects. Tenant clusters using nginx ingress controller pack with versions older than v1.8.0 may be impacted if they are expose the ability for end users to create or update ingress objects.
Patches
No fix is available yet, but there is a remediation available starting with Nginx ingress controller version 1.9.0. The
Nginx ingress controller pack is available with version v1.9.4. The newer version has enable-annotation-validation
set
to true
by default.
Workarounds
Starting with Nginx version 1.9.0, ingress administrators should set the --enable-annotation-validation
flag to
enforce restrictions on the contents of ingress-nginx annotation fields. Tenant clusters using older Nginx ingress
controller packs can upgrade to version v1.9.4 which has enable-annotation-validation
set to true
by default.
References
October 17, 2023 - CVE-2023-4911 Buffer Overflow in Dynamic Loader - 7.8 CVSS
A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so
while processing the GLIBC_TUNABLES
environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES
environment
variables when launching binaries with SUID
permission to execute code with elevated privileges.
Impact
All internal Palette and VerteX microservices are not impacted as the binaries are compiled using musl. This vulnerability, from an OS perspective, cannot be exploited without a remote code execution exploit.
Patches
Palette version 4.1.0 includes the security patch for the vulnerability.
Workarounds
Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.
References
October 11, 2023 - CVE-2023-44487 HTTP/2 Denial of Service - 7.5 CVSS
The HTTP/2 protocol may be used to create a denial of service and cause a server to exhaust all of its allocated resources. A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.
Impact
All Palette and VerteX releases prior to version 4.1.0 are impacted. The impact is largely mitigated as Palette and VerteX already has IP address based rate limit.
Patches
Palette and VerteX version 4.1.0 includes the fix for all the services using HTTP/2 protocol.
Workarounds
No workaround available. Impact is largely mitigated by the rate limits on the API requests. Refer to the API Rate Limit documentation for more information.
References
October 6, 2023 - CVE-2023-32002 NodeJS Modules Policy Bypass - 9.8 CVSS
The use of the Module library's Module._load()
function can be used to bypass the defined policy mechanism and require
external modules not defined in the policy.json file for a given module. This vulnerability affects all users using
the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Note that at the time this CVE was
issued, the policy is an experimental feature of Node.js.
Impact
No impact since the impacted function is not used by Palette.
Patches
Not Applicable
Workarounds
Not Applicable
References
September 25, 2023 - CVE-2023-42810 - NodeJS SSID Command Injection Vulnerability - 9.8 CVSS
The NodeJS system information library, systeminformation
, has an SSID command injection vulnerability. The affected
versions are v5.0.0 to v5.21.6. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check
or sanitize parameter strings that are passed to wifiConnections()
, wifiNetworks()
.
Impact
No impact since the impacted functions are not used.
Patches
Not Applicable
Workarounds
Not Applicable
References
September 25, 2023 - CVE-2023-4863 Libwebp Programs Terminations - 8.8 CVSS
A heap buffer overflow in the library, libwebp
, allows a remote attacker to perform an out of bounds memory write via
a crafted HTML page. This vulerability is present with the combination of Google Chrome prior to versions 116.0.5845.187
with libwebp
version 1.3.2. This is Chromium security severity that is marked as Critical.
Impact
No impact since libwebp
is not used on any of the Palette container images. This vulnerability, from an OS perspective
OS, a cannot be exploited without a remote code execution exploit.
Patches
Release 4.1.0 of self-hosted Palette and VerteX deployment include the security patch for the CVE.
Workarounds
Self-hosted instances of Palette and VerteX need to upgrade to version 4.1.0 or greater. Tenant Clusters and Private Cloud Gateways can be patched using the on-demand or scheduled OS security patches apply feature. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS
The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment
variables SUDO_EDITOR
, VISUAL
, and EDITOR
when the sudoedit
command is executed.
The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to
privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor
may contain the --
argument that defeats a protection mechanism. For example, an attacker may issue the following
command EDITOR='vim -- /path/to/extra/file
value.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the OS.
Workarounds
For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS
The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder /usr/lib may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for CVE-2016-10009.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
- For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
Workarounds
- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
When using Go templates with actions in unquoted HTML attributes, such as attr={{.}}
, unexpected output may occur due
to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into
tags.
Impact
No impact. We use the Go package html/template and our HTML templates are static. Our templates do not contain characters mentioned in the CVE. We also do not accept or parse any provided user data
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
Angle brackets <>
are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go
templates containing multiple actions separated by a /
character can result in unexpectedly closing the CSS context
and allowing for the injection of unexpected HTML if executed with untrusted input.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS
Go templates do not consider backticks as a Javascript string delimiter and, as a result, do not escape them as expected. Backticks have been used since ES6 for JS template literals. If a Go template contains an action within a literal Javascript template, the action's contents can be used to terminate the literal and potentially inject arbitrary Javascript code into the Go template.
Go template actions are disallowed from being used inside of them, for example, "var a = {{.}}"
since there is no safe
way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix,
Template.Parse()
returns an error when it encounters templates containing actions with literal JavaScript. The
ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21.
Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1
with the caveat that
backticks will now be escaped.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS
The go
command can execute any code during the build process when using cgo. This can happen when using go get
command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags
specified through the #cgo LDFLAGS
directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to
be used with gc and gccgo compilers.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS
The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause
unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters
in their names. Go modules retrieved using the command go get
are unaffected. Modules retrieved using the legacy
module retrieve method with the environment variables GOPATH
and GO111MODULE=off
may be affected.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS
The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the
command go get
is issued on a malicious module or when using any other command that builds untrusted code. This can be
triggered by linker flags specified via a #cgo LDFLAGS directive
. Flags containing embedded spaces are mishandled, and
disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This
only affects the gccgo compiler.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.