Updated the following middleware component versions to resolve vulnerabilities in MSR:
[ENGDTR-4142] Golang 1.20.12
[ENGDTR-4043] Synopsys Scanner 2023.9
All CVEs reported in Pillow are false positives, the result of being picked up from cache but for a version not in use with MSR.
Resolved CVEs, as detailed:
Problem details from upstream
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes “e-Tugra” root certificates. e-Tugra’s root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from “e-Tugra” from the root store.
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd’s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the
USER $USERNAMEDockerfile instruction is not used. Instead, set the container entrypoint to a value similar to
ENTRYPOINT ["su", "-", "user"]to allow
suto properly set up supplementary groups.
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an
ASN1_STRINGbut the public structure definition for
GENERAL_NAMEincorrectly specified the type of the x400Address field as
ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function
ASN1_TYPErather than an
ASN1_STRING. When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECKflag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
The public API function
BIO_new_NDEFis a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new
BIO_f_asn1filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call
BIO_pop()on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function
B64_write_ASN1()which may cause
BIO_new_NDEF()to be called and will subsequently call
BIO_pop()on the BIO. This internal function is in turn called by the public API functions
SMIME_write_PKCS7. Other public API functions that may be impacted by this include
i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
containerd is an open source container runtime. A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user’s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd’s CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
PEM_read_bio_ex()reads a PEM file from a BIO and parses and decodes the
CERTIFICATE), any header data and the payload data. If the function succeeds then the
dataarguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case
PEM_read_bio_ex()will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions
PEM_read()are simple wrappers around
PEM_read_bio_ex()and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including
SSL_CTX_use_serverinfo_file()which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if
PEM_read_bio_ex()returns a failure code. These locations include the
PEM_read_bio_TYPE()functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
Heap/stack buffer overflow in the
libibertyallows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with
<unichar code="followed by arbitrary Python code, a similar issue to CVE-2019-17626.
ReportLab through 3.5.26 allows remote code execution because of
colors.py, as demonstrated by a crafted XML document with
<span color="followed by arbitrary Python code.