Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MSR:
[ENGDTR-4142] Golang 1.20.12
[ENGDTR-4043] Synopsys Scanner 2023.9
All CVEs reported in Pillow are false positives, the result of being picked up from cache but for a version not in use with MSR.
Resolved CVEs, as detailed:
CVE
Status
Problem details from upstream
Not Vulnerable
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes “e-Tugra” root certificates. e-Tugra’s root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from “e-Tugra” from the root store.
Resolved
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd’s client library should check that application for a separate advisory and instructions. As a workaround, ensure that the
USER $USERNAME
Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar toENTRYPOINT ["su", "-", "user"]
to allowsu
to properly set up supplementary groups.Resolved
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Resolved
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an
ASN1_STRING
but the public structure definition forGENERAL_NAME
incorrectly specified the type of the x400Address field asASN1_TYPE
. This field is subsequently interpreted by the OpenSSL functionGENERAL_NAME_cmp
as anASN1_TYPE
rather than anASN1_STRING
. When CRL checking is enabled (i.e. the application sets theX509_V_FLAG_CRL_CHECK
flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.Resolved
The public API function
BIO_new_NDEF
is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a newBIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to callBIO_pop()
on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal functionB64_write_ASN1()
which may causeBIO_new_NDEF()
to be called and will subsequently callBIO_pop()
on the BIO. This internal function is in turn called by the public API functionsPEM_write_bio_ASN1_stream
,PEM_write_bio_CMS_stream
,PEM_write_bio_PKCS7_stream
,SMIME_write_ASN1, SMIME_write_CMS
andSMIME_write_PKCS7
. Other public API functions that may be impacted by this includei2d_ASN1_bio_stream
,BIO_new_CMS
,BIO_new_PKCS7
,i2d_CMS_bio_stream
andi2d_PKCS7_bio_stream
. The OpenSSL cms and smime command line applications are similarly affected.Resolved
containerd is an open source container runtime. A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user’s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd’s CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
Resolved
The function
PEM_read_bio_ex()
reads a PEM file from a BIO and parses and decodes thename
(e.g.CERTIFICATE
), any header data and the payload data. If the function succeeds then thename_out
,header
anddata
arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this casePEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functionsPEM_read_bio()
andPEM_read()
are simple wrappers aroundPEM_read_bio_ex()
and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions includingPEM_X509_INFO_read_bio_ex()
andSSL_CTX_use_serverinfo_file()
which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument ifPEM_read_bio_ex()
returns a failure code. These locations include thePEM_read_bio_TYPE()
functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.Resolved
Heap/stack buffer overflow in the
dlang_lname
function ind-demangle.c
inlibiberty
allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.Not Vulnerable
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with
<unichar code="
followed by arbitrary Python code, a similar issue to CVE-2019-17626.Not Vulnerable
ReportLab through 3.5.26 allows remote code execution because of
toColor(eval(arg))
incolors.py
, as demonstrated by a crafted XML document with<span color="
followed by arbitrary Python code.