Contact UsGet started

Security bulletins

Written by
Improved by
Updated at April 23, 2025

This page contains security recommendations from Yandex Cloud experts.

02/04/2025: CVE-2025-1385 Remote code execution in ClickHouse Library Bridge

CVE ID: CVE-2025-1385

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2025-1385

Original report

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5phv-x8x4-83x5

Summary

A vulnerability in ClickHouse made it possible to run code remotely with the Library Bridge feature enabled. The clickhouse-library-bridge feature exposed an HTTP API on localhost, allowing clickhouse-server to dynamically load libraries from specific paths and run them in an isolated process. If used together with the ClickHouse table engine which allows file uploads to certain directories, servers with misconfigured settings could be exploited by attackers if they had access to table engines allowing them to run any code on the ClickHouse server.

Compromised technologies

ClickHouse

Vulnerable products and versions

  • ClickHouse below version 24.3.18.6

  • ClickHouse below version 24.8.14.27

  • ClickHouse below version 24.11.5.34

  • ClickHouse below version 24.12.5.65

  • ClickHouse below version 25.1.5.5

Developer

ClickHouse, Inc.

Attack vector and severity level as per CVSS v.3.0

Not assigned.

Recommendations for vulnerability detection and supporting materials

To check if you ClickHouse server is vulnerable, check the configuration file and make sure the following setting is enabled:

<library_bridge>
   <port>9019</port>
</library_bridge>

Safe version of vulnerable product or patch

The vulnerability has been fixed in the following versions:

  • 24.3.18.6

  • 24.8.14.27

  • 24.11.5.34

  • 24.12.5.65

  • 25.1.5.5

Impact on Yandex Cloud services

Yandex Managed Service for ClickHouse® is updated to versions with the vulnerability fixed. No user action is required.

When using ClickHouse on your own VMs in Yandex Cloud, no additional end user actions are required, as the vulnerability is already fixed in the new image versions.

01/04/2024: CVE-2025-1974 Vulnerability in ingress-nginx in Kubernetes

CVE ID: CVE-2025-1974

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2025-1974

Original report

https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

Summary

A Kubernetes vulnerability was discovered allowing an intruder who has not passed authentication and has access to the pod network to run any code in the ingress-nginx controller context. This may unlock unauthorized access to secrets available to the controller. By default, the controller can access all secrets in the cluster.

Compromised technologies

Kubernetes

Vulnerable products and versions

  • Versions through 1.11.4
  • Version 1.12.0

Attack vector and severity level as per CVSS v.3.0

9,8 CRITICAL.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

To check whether or not you have ingress-nginx installed in your cluster, run this command: kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx.

Safe version of vulnerable product or patch

If you are using an ingress-nginx version from Cloud Marketplace, the upgrade is available only for Kubernetes versions 1.28 or higher.

You cannot install a safe ingress-nginx version in clusters with Kubernetes versions prior to 1.28 unless you upgrade the Kubernetes version first.

Impact on Yandex Cloud services

We recommend installing the safe ingress-nginx version from Cloud Marketplace.

If using another installation method:

  • Helm: Reinstall ingress-nginx with this option on: --set controller.admissionWebhooks.enabled=false.
  • YAML manifest:
    1. Delete the ValidatingWebhookConfiguration resource named ingress-nginx-admission.
    2. Edit the Deployment or Daemonset resources named ingress-nginx-controller by deleting the --validating-webhook key from the list of arguments.

06/03/2024: CVE-2024-21626: runc process.cwd and leaked fds container breakout

CVE ID: CVE-2024-21626

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-23919

Original report

https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

Summary

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem («attack 2»). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run «attack 1»). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes («attack 3a» and «attack 3b»).

runc 1.1.12 includes patches for this issue.

Technologies affected

runc

Vulnerable products and versions

From v1.0.0 before v1.1.11

Attack vector and severity level per CVSS v.3.0

7.5 High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

Public exploits:

Safe version of vulnerable product or patch

The vulnerability has been fixed as of version 1.1.12.

Are cloud services affected?

We updated current and upcoming images that use runc to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

05/07/2024: CVE-2024-6387 RegreSSHion

CVE ID: CVE-2024-6387

CVE link: https://www.cve.org/CVERecord?id=CVE-2024-6387

Original report

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

Summary

The vulnerability lies in the race condition that appears on the OpenSSH server (sshd), which sometimes enables running remote code without authentication (RCE) under the root username in glibc-based Linux systems. This poses a significant threat to security. It takes at least six hours for the attacker to exploit this issue.

Technologies affected

openssh-server

Vulnerable products and versions

  • openssh-server before 4.4p1
  • openssh-server from 8.5p1 to 9.8p1

Vendor

OpenBSD Project

Attack vector and severity level as per CVSS v.3.0

Base score: 8.1 HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

As a workaround, set LoginGraceTime to 0 in /etc/ssh/sshd_config. This will prevent the exploit, although will potentially allow DDoS attacks on the server.

See also: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html

Safe version of vulnerable product or patch

Learn which openssh-server version you are currently using by running the dpkg -l openssh-server command. If your version is vulnerable, update your package to 9.8p1 or higher.

How it impacts Yandex Cloud services

We updated VM basic images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

We checked for the presence of vulnerable internal Yandex Cloud services.

06/03/2024: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library

CVE ID: CVE-2023-23919

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-23919

Original report

https://hackerone.com/reports/1808596

Summary

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

Technologies affected

Node.js. Affects OpenSSL

Vulnerable products and versions

Node.js <= ver. 19.2.0, 18.14.1, 16.19.1, 14.21.3

Vendor

OpenJS Foundation

Attack vector and severity level per CVSS v.3.0

Base Score: 7.5

HIGHVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Recommendations for vulnerability detection and supporting materials

Safe version of vulnerable product or patch

Recent releases Node.js and OpenSSL already contain fixes for this error.

Impact on Yandex Cloud services

We have compiled and implemented an up-to-date Node.js in the images. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

06/03/2024: CVE-2023-23946: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8

CVE ID: CVE-2023-23946

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-23946

Original report

Summary

Multiple vulnerabilities. The full list:

https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE < 15.8.2, 15.7.7, and 15.6.8

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

Base Score: 6.2.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/

Safe version of vulnerable product or patch

Vulnerabilities have been fixed in versions 115.8.2, 15.7.7 and 15.6.8

Impact on Yandex Cloud services

For the convenience of users of the Yandex Managed Service for GitLab, we have already updated existing and future instances to the latest version. If you are using an image on a VM, it is recommended that you update it yourself.

06/03/2024: CVE-CVE-2023-22490: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8

CVE ID: CVE-CVE-2023-22490

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-22490

Original report

Summary

Multiple vulnerabilities. The full list:

https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE < 15.8.2, 15.7.7, and 15.6.8

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVE-2023-22490

Base Score: 5.5. CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/

Safe version of vulnerable product or patch

Vulnerabilities have been fixed in versions 115.8.2, 15.7.7 and 15.6.8

Impact on Yandex Cloud services

For the convenience of users of the Yandex Managed Service for GitLab, we have already updated existing and future instances to the latest version. If you are using an image on a VM, it is recommended that you update it yourself.

28/12/2023: CVE-2023-44487 HTTP/2 Rapid Reset DDoS Attack

CVE ID: CVE-2023-44487

CVE link:

https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Original report

https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088

Summary

Yandex Cloud has implemented all necessary measures against CVE-2023-44487 known as HTTP/2 Rapid Reset.

This vulnerability is related to the HTTP/2 protocol. Under certain conditions, can be exploited to execute a denial-of-service attack on webservers such as NGINX, envoy and other products that implement the server-side portion of the HTTP/2 specification. To protect your systems from this attack, we’re recommending an immediate update to your web server.

Technologies affected

NGINX, HTTP/2

Vulnerable products and versions

  • NGINX Open Source 1.x: 1.25.2 - 1.9.5
  • org.apache.tomcat.embed:tomcat-embed-core package, versions [,8.5.94], [9.0.0,9.0.81], [10.0.0,10.1.14], [11.0.0-M3,11.0.0-M12]
  • NGINX Ingress Controller
    • 3.x 3.0.0 - 3.3.0 3.3.1
    • 2.x 2.0.0 - 2.4.2
    • 1.x 1.12.2 - 1.12.5
  • Envoy 1.27.1, 1.26.5, 1.25.10 or 1.24.10
  • NGINX Plus R2x R25 - R30
  • BIG-IP (all modules) 17.x 17.1.0
  • BIG-IP Next (all modules) 20.x 20.0.1
  • BIG-IP Next SPK 1.x 1.5.0 - 1.8.2
  • https://my.f5.com/manage/s/article/K000137106

Base vector and severity level of the vulnerability according to CVSS v.3.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Recommendations for vulnerability detection and additional materials

Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others):

https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76

https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-5953331

Update or patch version:

Safe version of vulnerable product or patch

Not yet.

Are cloud services affected?

No.

28/12/2023: CVE-2023-23583 Reptar vulnerability in Ice Lake (IPU Out-of-Band)

CVE ID: CVE-2023-23583

CVE link:

https://nvd.nist.gov/vuln/detail/CVE-2023-5043

Summary

The Reptar vulnerability affects Intel-based server systems, and the manufacturer has released the necessary patches. The Yandex Cloud infrastructure has been updated.

The vulnerability potentially led to privilege escalation.

Technologies affected

Intel (microcode)

Vulnerable products and versions

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

Base vector and severity level of the vulnerability according to CVSS v.3.0

7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Recommendations for vulnerability detection and additional materials

Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others):

https://lock.cmpxchg8b.com/reptar.html

Update or patch version:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

Safe version of vulnerable product or patch

The vulnerability has been fixed as of version 1.9.0.

Are cloud services affected?

No.

28/12/2023: CVE-2023-46850 OpenVPN v.2.6.7 Security patch

CVE IDs: CVE-2023-46849, CVE-2023-46850

CVE link:

https://nvd.nist.gov/vuln/detail/CVE-2023-46849
https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Original report

https://openvpn.net/community-downloads/

Summary

CVE-2023-46850: it can lead to sending the contents of the process memory to the other side of the connection, as well as potentially to remote code execution.

CVE-2023-46849: this may lead to the remote initiation of an emergency shutdown of the access server.

Technologies affected

OpenVPN

Vulnerable products and versions

From v2.6.0 before v2.6.6

Base vector and severity level of the vulnerability according to CVSS v.3.0

Network.

Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others)

No PoC yet.

Safe version of vulnerable product or patch

The vulnerability has been fixed as of version 2.6.7.

Are cloud services affected?

Yes.

3/11/2023: CVE-2023-5043 NGINX Ingress Controller for Kubernetes vulnerabilities

CVE IDs: CVE-2023-5043, CVE-2023-5044, CVE-2022-4886

CVE links:

https://nvd.nist.gov/vuln/detail/CVE-2023-5043
https://nvd.nist.gov/vuln/detail/CVE-2023-5044
https://nvd.nist.gov/vuln/detail/CVE-2022-4886

Original report

https://github.com/kubernetes/ingress-nginx/issues/10571
https://github.com/kubernetes/ingress-nginx/issues/10572
https://github.com/kubernetes/ingress-nginx/issues/10570

Summary

The first two vulnerabilities, CVE-2023-5043 and CVE-2023-5044, are related to insufficiently checking input data, which may lead to adding malicious code, taking control of privileged credentials, and stealing all cluster's secrets. Both issues have 7.60/10 vulnerability score as per the CVSS.

The CVE-2022-4886 vulnerability has higher score, 8.80 as per the CVSS. This issue can be exploited when creating or updating Ingress objects. The attackers may get access to the Kubernetes API credentials from Ingress Controller and, consequently, steal all cluster's secrets. This vulnerability affects version 1.8.0 and lower.

Technologies affected

NGINX

Vulnerable products and versions

NGINX: Up to version 1.9.0

Recommendations for vulnerability detection and additional materials

Here is what we recommend in order to avoid exploiting these vulnerabilities:

  1. Update NGINX Ingress Controller to 1.9.0; this version has annotation validation, while the custom snippets are disabled by default.

  2. Add the --enable-annotation-validation argument to the controller startup options.

  3. Add the strict-validate-path-type option to Configmap.

  4. Use a policy engine, such as Kyverno, to validate the paths used in the Ingress rules. You can find this ready-to-use policy on the Kyverno website.

Safe version of vulnerable product or patch

The vulnerability has been fixed as of version 1.9.0.

How it impacts Yandex Cloud services

These vulnerabilities are irrelevant when using Yandex Cloud ALB Ingress Controller, as it is based on different technologies and does not have any annotations or settings that may lead to such vulnerabilities.

26/10/2023: CVE-2023-3484 GitLab Security Release: 16.1.2, 16.0.7, and 15.11.11

CVE ID: CVE-2023-3484

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-3484

Original report

https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/

Summary

GitLab closed CVE-2023-3484.

An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations.

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE, versions prior to 16.1.2, 16.0.7, and 15.11.11

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVSS score: 3.1 to 6.1

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/

Safe version of vulnerable product or patch

Vulnerability resolved in GitLab CE/EE versions starting from 16.1.2, 16.0.7, and 15.11.11

Impact on Yandex Cloud services

We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

26/10/2023: CVE-2023-3424, CVE-2023-1936 GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10

CVE ID: CVE-2023-3424 - CVE-2023-1936

Link to CVE: https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/

Original report

https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/

Summary

GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:

https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE, versions prior to 16.1.1, 16.0.6, and 15.11.10

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVSS score: 3.5 to 7.5

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/

Safe version of vulnerable product or patch

Vulnerability resolved in GitLab CE/EE versions starting from 16.1.1, 16.0.6, and 15.11.10

Impact on Yandex Cloud services

We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

26/10/2023: CVE-2023-2442, CVE-2023-2013 GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8

CVE ID: CVE-2023-2442 - CVE-2022-2013

Link to CVE: https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/

Original report

https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/

Summary

GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:

https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE, versions prior to 16.0.2, 15.11.7, and 15.10.8

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVSS score: 2.6 to 8.7

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/

Safe version of vulnerable product or patch

Vulnerability resolved in GitLab CE/EE versions starting from 16.0.2, 15.11.7, and 15.10.8

Impact on Yandex Cloud services

We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

16/10/2023: BDU-2023-05857 Vulnerability in the landing module of the 1C-Bitrix Content Management System (CMS)

CVE ID: BDU:2023-05857

Link to CVE: https://bdu.fstec.ru/vul/2023-05857

Original report

https://bdu.fstec.ru/vul/2023-05857

Summary

The vulnerability in the landing module of the 1C-Bitrix Content Management System (CMS) is caused by synchronization errors when using a shared resource. By exploiting this vulnerability, a remote attacker might execute OS commands on a compromised node, gain control over resources, and penetrate the internal network.

Technologies affected

1C-Bitrix: Site management

Vulnerable products and versions

Up to 23.850.0

Vendor

1C-Bitrix LLC

Attack vector and severity level per CVSS v.3.0

CVSS score: 10. Attack vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

Safe version of vulnerable product or patch

Landing version 23.850.0 and higher.

Compensatory measures for Yandex Cloud users

Update the software product to landing version 23.850.0 or higher.

Impact on Yandex Cloud services

We updated current and upcoming images to the latest version. Check your current software version and update it if needed. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

06/10/2023: CVE-2023-35943 CORS filter segfault when origin header is removed

CVE ID: CVE-2023-35943

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-35943

Original report

https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq

Summary

Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter would segfault and crash Envoy when the origin header was removed and deleted between decodeHeaders and encodeHeaders. The issue is fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Technologies affected

Envoy

Vulnerable products and versions

Envoy, versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Vendor

Envoy

Attack vector and severity level per CVSS v.3.0

CVSS score: 7.5. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Recommendations for vulnerability detection and supporting materials

We recommend updating to the latest version. If it is not possible, do not remove the origin header in the Envoy configuration.

Safe version of vulnerable product or patch

Vulnerability fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Impact on Yandex Cloud services

We updated current and upcoming images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

06/10/2023: CVE-2023-35941 OAuth2 credentials exploit with permanent validity

CVE ID: CVE-2023-35941

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-35941

Original report

https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55

Summary

Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, malicious clients could construct OAuth2 credentials with permanent validity. This was caused by some rare scenarios when a HMAC payload could be always valid in the OAuth2 filter's check. As a workaround, avoid wildcards/prefix domain wildcards in the host domain configuration.

Technologies affected

Envoy

Vulnerable products and versions

Envoy, versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Vendor

Envoy

Attack vector and severity level per CVSS v.3.0

CVSS score: 9.8. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

We recommend updating to the latest version. If it is not possible, do not use wildcards/prefix domain wildcards in the host domain configuration.

Safe version of vulnerable product or patch

Vulnerability fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.

Impact on Yandex Cloud services

We updated current and upcoming images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

03/07/2023: CVE-2023-2478 GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7

CVE ID: CVE-2023-2478

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-2478

Original report

https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/#malicious-runner-attachment-via-graphql

Summary

Gitlab fixed CVE-2023-2478.

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, starting from 15.10 before 15.10.6, and starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious GitLab runner to any project.

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE versions prior to 15.11.2, 15.10.6, and 15.9.7.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVSS score: 9.6. Attack vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/#malicious-runner-attachment-via-graphql

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.11.2, 15.10.6, and 15.9.7.

Impact on Yandex Cloud services

We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

03/07/2023: CVE-2023-27561 Race-condition to bypass masked paths

CVE ID: CVE-2023-27561

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27561

Original report

https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9

Summary

Prior to version 1.1.4, runc has incorrect access control settings that lead to privilege escalation related to libcontainer/rootfs_linux.go. To exploit the vulnerability, an attacker should be able to create two containers with custom mount volume configurations and run custom images.

Technologies affected

Linux kernel (runc)

Vulnerable products and versions

Runc prior to version 1.1.5.

Vendor

Linux kernel

Attack vector and severity level per CVSS v.3.0

CVSS score: 7.0. Attack vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

We recommend updating to the latest version.

Safe version of vulnerable product or patch

The vulnerability has been fixed as of version 1.1.5.

Impact on Yandex Cloud services

We updated current and upcoming images that use runc to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

03/07/2023: CVE-2023-27492 Crash when a large request body is processed in Lua filter

CVE ID: CVE-2023-27492

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27492

Original report

https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2

Summary

Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter was vulnerable to denial of service. Attackers can send large request bodies for routes with the Lua filter enabled and trigger crashes. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset.

Technologies affected

Envoy

Vulnerable products and versions

Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

Vendor

Envoy

Attack vector and severity level per CVSS v.3.0

CVSS score: 6.5. Attack vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Recommendations for vulnerability detection and supporting materials

Update to the latest version.

https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2

Safe version of vulnerable product or patch

Vulnerability resolved in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

Impact on Yandex Cloud services

We updated the component used in our services to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

03/07/2023: CVE-2023-27491 Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers

CVE ID: CVE-2023-27491

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27491

Original report

https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp

Summary

HTTP/1 compatible service must reject incorrectly generated request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, invalid HTTP/1 service might allow incorrect requests to be executed, which could help attackers bypass security policies.

Technologies affected

Envoy

Vulnerable products and versions

Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

Vendor

Envoy

Attack vector and severity level per CVSS v.3.0

CVSS score: 9.1. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Recommendations for vulnerability detection and supporting materials

Update to the latest version.

Safe version of vulnerable product or patch

Vulnerability resolved in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.

Impact on Yandex Cloud services

We updated the component used in our services to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

03/07/2023: CVE-2022-3513 - CVE-2022-3375. GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5

CVE ID: CVE-2022-3513 - CVE-2022-3375

Link to CVE: https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/

Original report

https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/

Summary

GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:

https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE versions prior to 15.10.1, 15.9.4, and 15.8.5.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

CVSS score: 3.1 to 6.1.

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.10.1, 15.9.4, and 15.8.5.

Impact on Yandex Cloud services

We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

13/04/2023: CVE-2023-26463: StrongSwan IPsec: Incorrectly Accepted Untrusted Public Key With Incorrect Refcount

CVE ID: CVE-2023-26463

Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26463

Original report

https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html

Summary

The TLS implementation in libtls incorrectly treats the public key from the peer's certificate as trusted, even if the certificate cannot be verified successfully. However, the public key does not have the correct reference count either, which then causes a dereference of an expired pointer. This commonly leads to a segmentation fault and a denial of service; however, the information exposure or code execution might still be possible.

An attacker is able to trigger this issue by sending a self-signed (or otherwise untrusted) certificate to a server that authenticates clients with a TLS-based EAP method, such as EAP-TLS. Clients may be similarly vulnerable to attackers that send them a request for such an EAP method followed by an untrusted server certificate. Affected versions: StrongSwan 5.9.8 and 5.9.9.

Technologies affected

StrongSwan IPsec

Vulnerable products and versions

StrongSwan IPsec prior to 5.9.10

Vendor

StrongSwan IPsec

Attack vector and severity level per CVSS v.3.0

Not rated as of 29/03/2023.

Recommendations for vulnerability detection and supporting materials

Servers that do not load plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC) are not vulnerable. If these plugins are loaded, they must not be used as a remote authentication method. You should not use the eap-dynamic plugin either, since it allows clients to choose their preferred EAP method. Servers that use TLS-based methods via the eap-radius plugin and only configure that as a remote authentication method are also not vulnerable.

Safe version of vulnerable product or patch

StrongSwan IPsec starting with version 5.9.10.

Impact on Yandex Cloud services

The StrongSwan IPsec image in Yandex Cloud Marketplace is not vulnerable according to https://ubuntu.com/security/CVE-2023-26463. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.

13/04/2023: CVE-2023-0286: OpenSSL Security Advisory 7/02/2023

CVE ID: CVE-2023-0286

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

Original report

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9

Summary

OpenSSL issued a patch to fix some vulnerabilities, including the critical CVE-2023-0286.

Technologies affected

OpenSSL

Vulnerable products and versions

OpenSSL 1.0.2, 1.1.1, and 3.0.0-3.0.7.

Vendor

OpenSSL

Attack vector and severity level per CVSS v.3.0

Base Score: 7.4 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

Recommendations for vulnerability detection and supporting materials

We recommend updating OpenSSL to the latest version.

Safe version of vulnerable product or patch

If you are using OpenSSL 3.0.0-3.0.7, upgrade to OpenSSL 3.0.8.
If you are using OpenSSL 1.1.1, upgrade to OpenSSL 1.1.1t.
If you are using OpenSSL 1.0.2, upgrade to OpenSSL 1.0.2zg.

Impact on Yandex Cloud services

We collected the latest OpenSSL versions and implemented them in the images being used. If you are using previous OS versions from Yandex Cloud Marketplace with OpenSSL 1.0.2, 1.1.1, or 3.0.0, you need to upgrade OpenSSL on your own.

22/02/2023: CVE-2022-3602, CVE-2022-3786: OpenSSL Security release v.3.0.7

CVE ID: CVE-2022-3602, CVE-2022-3786.

Links to CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
https://nvd.nist.gov/vuln/detail/CVE-2022-3786

Original report

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
https://www.openssl.org/news/secadv/20221101.txt

Summary

The OpenSSL project released a patch to fix critical buffer overflow vulnerabilities triggered by X.509 certificate verification. The CVE-2022-3602 and CVE-2022-3786 vulnerabilities were fixed in OpenSSL version 3.0.7.

Technologies affected

OpenSSL

Vulnerable products and versions

OpenSSL prior to version 3.0.7.

Vendor

OpenSSL

Attack vector and severity level per CVSS v.3.0

Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Recommendations for vulnerability detection and supporting materials

If you are using OpenSSL, we recommend that you upgrade to version 3.0.7 or higher.

Safe version of vulnerable product or patch

OpenSSL starting from version 3.0.7.

Impact on Yandex Cloud services

We collected the latest OpenSSL versions and implemented them in the images being used. In cloud resources, the vulnerable component is not found among the loaded modules and installed packages.

If you are using previous OS versions from Cloud Marketplace with OpenSSL older than 3.0.7, you need to upgrade OpenSSL on your own.

07/02/2023: CVE-2022-3411, CVE-2022-4138, CVE-2022-3759, CVE-2023-0518,: GitLab Security Release: 15.8.1, 15.7.6, 15.6.7

CVE ID: CVE-2022-3411, CVE-2022-4138, CVE-2022-3759, and CVE-2023-0518.

Links to CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0518

Original report

https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/#denial-of-service-via-arbitrarily-large-issue-descriptions

Brief description

Multiple vulnerabilities. Complete list: https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/.

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE versions prior to 15.8.1, 15.7.6, and 15.6.7.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

6.5-4.3

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.8.1, 15.7.6, and 15.6.7.

Impact on Yandex Cloud services

For the convenience of Managed Service for GitLab users, we already updated current and upcoming instances to the latest version. If you are using images on your VMs, we recommend that you update them on your own.

02/02/2022, CVE-2022-41903 and CVE-2022-23521: GitLab Critical Security Release: 15.7.5, 15.6.6, 15.5.9

CVE ID: CVE-2022-41903 and CVE-2022-23521

Links to CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-41903
https://nvd.nist.gov/vuln/detail/CVE-2022-23521

Original report

https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89

Brief description

Multiple vulnerabilities. View the complete list here: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/.

Technologies affected

GitLab

Vulnerable products and versions

GitLab CE/EE versions prior to 15.7.5, 15.6.6, and 15.5.9.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

Severity level: 9.9.

Recommendations for vulnerability detection and supporting materials

https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.7.5, 15.6.6, and 15.5.9.

Impact on Yandex Cloud services

For the convenience of Managed Service for GitLab users, we already updated current and upcoming instances to the latest version. If you are using images on your VMs, we recommend that you update them on your own.

26/12/2022: CVE-2022-47940: KSMBD FS/KSMBD/SMB2PDU.C SMB2_WRITE

CVE ID: CVE-2022-47940

Link to CVE: https://ubuntu.com/security/CVE-2022-47940

Original report

https://ubuntu.com/security/CVE-2022-47940

Summary

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of SMB2_WRITE commands. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. To be vulnerable, needs ksmbd-tools installed to enable the ksmbd service, which is not installed by default.

Technologies affected

Linux Kernel.

Vulnerable products and versions

Linux Kernel up to 5.18.17
ksmbd-tools

Vendor

ksmbd-tools

Attack vector and severity level per CVSS v.3.0

Severity level: 4.1

Recommendations for vulnerability detection and supporting materials

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=158a66b245739e15858de42c0ba60fcf3de9b8e6

Safe version of vulnerable product or patch

The vulnerability is fixed as of Linux Kernel version 5.18.18.

Impact on Yandex Cloud services

The vulnerable component is not present among loaded modules and installed components in cloud services.

If you are using vulnerable OS images from Marketplace in Yandex Compute Cloud, you have to update them to secure versions yourself.

06/12/2022: CVE-2022-28228: Out-of-bounds reads in YDB servers

Updated on 08/12/2022

Vulnerability reported by: Max Arnold arnold.maxim@yandex.ru

CVE ID: CVE-2022-28228

CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28228

Original report

https://ydb.tech/docs/en//security-changelog#28-11-2022

Summary

Hackers can create special requests that trigger errors. An error message can include fragments of data from another cluster. Hackers can also run a denial of service attack against clusters.

Technologies affected

Yandex Managed Service for YDB in serverless mode.

Vulnerable products and versions

All the versions below 22.4.44 have this vulnerability.

Version 22.4.44 is safe.

Vendor

Yandex

Recommendations for vulnerability detection and supporting materials

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28228

Safe version of vulnerable product or patch

Any version from 22.4.44 or higher.

Compensatory measures for Yandex Cloud users

Everything has been done at the service level, no additional action is needed.

Impact on Yandex Cloud services

Only Yandex Managed Service for YDB in the serverless mode was subject to the vulnerability. The vulnerability is closed at present: all the YDB instances were updated to the safe version.

03/11/2022: CVE-2022-42889: Text4Shell

CVE ID: CVE-2022-42889

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Original report

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Summary

The vulnerability was found in a number of Apache Commons Text library versions. Applications using default string interpolation parameters may be vulnerable to remote code execution or unintentional contact with untrusted remote servers.

Technologies affected

Apache Commons Text

Vulnerable products and versions

The vulnerability affects versions 1.5 through 1.9.

Version 1.10.0 is safe.

Vendor

Apache Software Foundation

Attack vector and severity level per CVSS v.3.0

Severity level: 9.8_Critical.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Recommendations for vulnerability detection and supporting materials

Safe version of vulnerable product or patch

The vulnerability is fixed as of version 1.10.0.

Impact on Yandex Cloud services

The library has been upgraded to the safe version in Yandex Cloud services where it is used.

01/09/2022: CVE-2022-2992: GitLab Critical Security Release: 15.3.2, 15.2.4, and 15.1.6

CVE ID: CVE-2022-2992

Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2992

Original report

https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/

Brief description

Multiple vulnerabilities. Complete list: https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/.

Technologies affected

GitLab

Vulnerable products and versions

All GitLab CE/EE versions before 15.3.2, 15.2.4, and 15.1.6 are affected.

The vulnerability was fixed in versions 15.3.2, 15.2.4, and 15.1.6.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

Severity level: 9.9.

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.3.2, 15.2.4, and 15.1.6.

Compensatory measures for Yandex Cloud users

https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/

Impact on Yandex Cloud services

The vulnerability affects the users of Managed Service for GitLab and GitLab images from Cloud Marketplace.

All GitLab images in Managed Service for GitLab and Cloud Marketplace are being updated to safe versions.

31/08/2022: CVE-2020-8561, Redirecting Kubernetes API server requests

CVE ID: CVE-2020-8561

CVE link: https://nvd.nist.gov/vuln/detail/CVE-2020-8561

Original report

https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY

Summary

In Kubernetes, a user who monitors responses to MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests can redirect kube-apiserver requests to private networks hosting an API server. If the logging level is 10, logs will capture responses from such private networks.

Technologies affected

Kubernetes

Vulnerable products and versions

All Kubernetes versions.

Vendor

Kubernetes

Attack vector and severity level as per CVSS v.3.0

Severity level: 4.1.

AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Recommendations for vulnerability detection and supporting materials

https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY

Safe version of vulnerable product or patch

No patches or safe versions.

Compensatory measures for Yandex Cloud users

https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY

Block access to resources with sensitive information for kube-apiserver.

You can also set a value below 10 for the -v flag and false for the --profiling flag (the default value is true). Webhook requests will be redirected to private networks, but logs will not capture the request body if the logging level is below 10. Users will not be able to modify the kube-apiserver logging level.

Impact on Yandex Cloud services

No impact. The API serer in Yandex Managed Service for Kubernetes is isolated from the service interface. The server runs under an individual user account that is isolated by a local firewall.

25/08/2022: CVE-2022-2884: Remote Command Execution via GitHub import in GitLab

Updated on 01/09/2022

CVE ID: CVE-2022-2884

Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884

Original report

https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/

Summary

A vulnerability in GitLab CE/EE allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Technologies affected

GitLab

Vulnerable products and versions

The following GitLab CE/EE versions are vulnerable:

  • Between 11.3.4 and 15.1.5.
  • Between 15.2 and 15.2.3.
  • Between 15.3 and 15.3.1.

The vulnerability was fixed in versions 15.1.5, 15.2.3, and 15.3.1.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

Severity level: 9.9.

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Recommendations for vulnerability detection and supporting materials

https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/

Safe version of the vulnerable product or patch

The vulnerability was fixed in GitLab CE/EE 15.1.5, 15.2.3, and 15.3.1.

Compensatory measures for Yandex Cloud users

Disable import from GitHub to GitLab:

  1. Log in to your GitLab installation using an administrator account.
  2. Click MenuAdmin.
  3. Click SettingsGeneral.
  4. Expand Visibility and access controls.
  5. Under Import sources, disable the GitHub option.
  6. Click Save changes.

Impact on Yandex Cloud services

The vulnerability doesn't affect Yandex Cloud users. GitLab in Managed Service for GitLab and Cloud Marketplace has been updated to a safe version.

04/07/2022: CVE-2022-27228: Vulnerability of "vote" module in CMS 1C-Bitrix

CVE ID: CVE-2022-27228

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-27228

Original report

https://bdu.fstec.ru/vul/2022-01141
https://helpdesk.bitrix24.com/open/15536776/

Brief description

Vulnerability of the "vote" module in the 1C-Bitrix content management system (CMS): website management linked to ability to send special network packets. The exploit may enable a hacker to write arbitrary files remotely to a vulnerable system.

Technologies affected

Bitrix CMS

Vulnerable products and versions

All versions before 21.0.100.

Vendor

1C-Bitrix

Attack vector and severity level per CVSS v.3.0

Severity level: 9,8

Recommendations for vulnerability detection and supporting materials

Requests for /bitrix/tools/composite_data.php, /bitrix/tools/html_editor_action.php, /bitrix/admin/index.php, /bitrix/tools/vote/uf.php.

Safe version of vulnerable product or patch

Vulnerability resolved in "vote" module version 21.0.100.
https://dev.1c-bitrix.ru/docs/versions.php?lang=ru&module=vote

Compensatory measures for Yandex Cloud users

Additional validation of inputs to the "vote" module including WAF validation.

Impact on Yandex Cloud services

No impact on Yandex Cloud services.

22/06/2022: CVE-2022-1680: GitLab account takover, critical vulnerability

CVE ID: CVE-2022-1680

Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1680

Original report

https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/

Brief description

When SAML SSO and SCIM are used for a premium GitLab group, any group owner can invite arbitrary users into the group, change those users' email address via SCIM, and take over those users' accounts (unless two-factor authentication is being used).

Technologies affected

Gitlab

Vulnerable products and versions

The following GitLab Enterprise Edition (EE) versions are vulnerable:

  • Between 11.10 and 14.9.5.
  • Between 14.10 and 14.10.4.
  • Between 15.0 and 15.0.1.

In versions 15.0.1, 14.10.4, and 14.9.5, the vulnerability has been eliminated.

Vendor

GitLab Inc.

Attack vector and severity level per CVSS v.3.0

Severity level: 9.9

Recommendations for vulnerability detection and supporting materials

If you are using a custom GitLab installation, check whether group_saml has been enabled https://docs.gitlab.com/ee/integration/saml.html#configuring-group-saml-on-a-self-managed-gitlab-instance.

Safe version of vulnerable product or patch

Vulnerability resolved in versions 15.0.1, 14.10.4, and 14.9.5.

Compensatory measures for Yandex Cloud users

  • Yandex Compute Cloud

    GitLab images for Yandex Compute Cloud in Yandex Cloud Marketplace have been updated to a safe version.

    Yandex Compute Cloud users with deprecated GitLab images from Yandex Cloud Marketplace or deprecated custom installations may be subject to the vulnerability.

    Update to the latest version.

  • Yandex Managed Service for GitLab

    For Yandex Managed Service for GitLab users (at the preview stage), the GitLab version has been updated to a safe version.

    No additional action on the part of the users is required.

15/06/2022: CVE-2021-25748: Ingress-nginx. Path sanitization bypass

CVE ID: CVE-2021-25748

Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25748

Original report

https://discuss.kubernetes.io/t/security-advisory-cve-2021-25748-ingress-nginx-path-sanitization-can-be-bypassed-with-newline-character/20280

Brief description

The user can bypass sanitization of the spec.rules[].http.paths[].path field of an ingress object (in the networking.k8s.io or extensions API group) by using a newline character in the field value to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Involved technologies

  • Kubernetes
  • Nginx

Affected products and versions

ingress-nginx < v1.2.1

Vendor

NGINX ingress controller

Attack vector and severity level according to CVSS v.3.0

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Recommendations for vulnerability detection and supporting materials

https://discuss.kubernetes.io/t/security-advisory-cve-2021-25748-ingress-nginx-path-sanitization-can-be-bypassed-with-newline-character/20280

Safe version of the vulnerable product or patch

ingress-nginx v1.2.1

Compensatory measures for Yandex Cloud users

If you are using ingress-nginx controller in Yandex Managed Service for Kubernetes or self-hosted Kubernetes and are unable to roll out the fix, use a policy that restricts the spec.rules[].http.paths[].path field of the networking.k8s.io/Ingress resource to safe characters (see the newly added rules and the suggested values for annotation-value-word-blocklist).

Impact on Yandex Cloud services

There is no impact on Yandex Cloud services, since the infrastructure does not use ingress-nginx. The alb-ingress controller is used instead.

29.04.2022: CVE-2022-24735 and CVE-2022-24736: Redis

Description

CVE-2022-24735

Vulnerability CVE-2022-24735 is used to exploit weaknesses in the Lua script execution environment. An attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the higher privileges of another Redis user.

For a detailed description of the vulnerability, see this article.
Vulnerability description: CVE-2022-24735.
CVSS rating: 3.9 LOW.

CVE-2022-24736

Vulnerability CVE-2022-24736 is used by an attacker to load a specially crafted Lua script, which will result in a crash of Redis prior to version 7.0.0 and 6.2.7.

For a detailed description of the vulnerability, see this article.
Vulnerability description: CVE-2022-24736.
CVSS rating: 3.3 LOW.

Impact

General impact

All Redis databases prior to version 7.0.0 and 6.2.7 are affected.

Impact on Yandex Cloud services

Yandex Managed Service for Valkey™ uses the following Redis versions: 5.0, 6.0, 6.2.

The following measures are being taken to mitigate the vulnerability in Yandex Cloud services:

  • All instances of version 6.2 will be upgraded to the updated version 6.2.7. The upgrade will occur following the standard cluster settings.
  • For versions 6.0 or 5.0, the vendor has not released updates. Users need to upgrade to version 6.2 themselves in order to get the standard update to version 6.2.7.

Compensatory measures

If you are using Redis version 6.0 or 5.0 as part of Yandex Managed Service for Valkey™, upgrade to version 6.2 as soon as possible.

If you are using your own Redis installation, upgrade to version 6.2.7 or 7.0.0. If an upgrade isn't currently possible, the vendor has released a workaround.

06/04/2022: CVE-2022-1162: GitLab Critical Security Release

Description

GitLab has published an overview of a number of vulnerabilities in their article.

The vulnerability was discovered internally and assigned the ID CVE-2022-1162. The vulnerability affects both GitLab Community Edition (CE) and Enterprise Edition (EE):

  • All versions through 14.7.7.
  • All versions from 14.8 through 14.8.5.
  • All versions from 14.9 through 14.9.2.

The vulnerability results from hardcoded passwords being set inadvertently during OmniAuth-based registration in GitLab CC/EE.
This is an unscheduled release which is also the March monthly release.

GitLab has prepared a script to use to identify user accounts that are potentially vulnerable to CVE-2022-1162.

Impact on Yandex Cloud services

Yandex Compute Cloud

A GitLab image for Yandex Compute Cloud in Yandex Cloud Marketplace was updated to the latest version.

Potentially, the vulnerability affects all Yandex Compute Cloud users utilizing deprecated GitLab images from Yandex Cloud Marketplace or deprecated custom images. These users must reinstall their systems using an updated Marketplace image or update their GitLab to the most recent version.

Yandex Cloud sent out notifications to all users with a deprecated GitLab image.

Yandex Managed Service for GitLab

For anyone using Yandex Managed Service for GitLab in test mode in a Yandex Cloud, we have already updated the existing and future instances to the latest version.

Yandex Cloud sent out notifications to all Yandex Managed Service for GitLab users.

Compensatory measures

Potentially, the vulnerability affects all users using deprecated custom GitLab images. These users need to upgrade their GitLab version to the latest one.

18/03/2022: CVE-2022-0811: cr8escape

Description

CrowdStrike security researchers discovered a new vulnerability in the CRI-O container engine that can be used in Kubernetes. It can be exploited by an attacker with rights to deploy a pod to escape a container, gain root privileges, and move anywhere in the cluster.

The issue is that, starting from CRI-O 1.19, the sysctl system parameters can be overridden, for example, by abusing kernel.core_pattern to escape a container.

Original report: article.

Vulnerability description: CVE-2022-0811.

Impact on Yandex Cloud services

There is no impact, since CRI-O is not used in Managed Service for Kubernetes.

Compensatory measures

If you're using Kubernetes as a custom bare metal installation rather than within Managed Service for Kubernetes:

  • Update the CRI-O to version 1.23.2.

  • If there is no patch with updates for your OS, roll back the CRI-O version to 1.18 or lower.

  • If you can't change the CRI-O version:

    1. Apply the policy that disallows"+" or "=" in sysctl values.
    2. PodSecurityPolicy forbiddenSysctls to forbid any sysctl.

09/03/2022: CVE-2022-0847: Dirty Pipe

Updated on 17/03/2022

Description

The vulnerability has been discovered in Linux. The vulnerability allows data to be overwritten in read-only official files.

The vulnerability is relevant for kernel versions from 5.8.

The vulnerability was fixed in versions 5.16.11, 5.15.25 and 5.10.102.

Original report: article.

Vulnerability description: CVE-2022-0847.

Impact on Yandex Cloud services

The vulnerability does not affect the Yandex Cloud services, as the infrastructure uses kernel versions that are different from those affected by the vulnerability.

Several VM images from Cloud Marketplace were affected:

  • ubuntu-20-04-lts-gpu
  • ubuntu-20-04-lts-gpu-a100

Compensatory measures

The affected VM images have been removed from Cloud Marketplace and replaced with updated images.

If you are using a VM image that is affected by the vulnerability, update according to the official documentation.
Example for Ubuntu: https://ubuntu.com/security/notices/USN-5317-1.

28/02/2022: CVE-2022-0735 (token disclosure), CVE-2022-0549, CVE-2022-0751, CVE-2022-0741, CVE-2021-4191, CVE-2022-0738, CVE-2022-0489: Multiple GitLab vulnerabilities

Description

GitLab Inc. published an overview of a number of vulnerabilities in their article.

CVE-2022-0735

The most severe vulnerability is CVE-2022-0735 "Runner registration token disclosure through Quick Actions".

It affects the following versions:

  • All versions from 12.10 to 14.6.5 inclusive.
  • All versions from 14.7 to 14.7.4 inclusive.
  • All versions from 14.8 to 14.8.2 inclusive.

Other vulnerabilities are less critical.

CVE-2022-0549

CVE-2022-0549 "Unprivileged users can add other users to groups through an API endpoint" is a medium severity issue.

It affects the following versions:

  • All versions from 14.4 to 14.4.4 inclusive.
  • All versions from 14.5 to 14.5.2 inclusive.

CVE-2022-0751

CVE-2022-0751 "Inaccurate display of Snippet contents can be potentially misleading to users" is a medium severity issue.

CVE-2022-0741

CVE-2022-0741 "Environment variables can be leaked via the sendmail delivery method" is a medium severity issue.

CVE-2021-4191

CVE-2021-4191 "Unauthenticated user enumeration on GraphQL API" is a medium severity issue and applies to all versions from 14.4 to 14.8 inclusive.

CVE-2022-0738

CVE-2022-0738 "Adding a pull mirror with SSH credentials can leak password" is a medium severity issue.

It affects the following versions:

  • All versions from 14.6 to 14.6.5 inclusive.
  • All versions from 14.7 to 14.7.4 inclusive.
  • All versions from 14.8 to 14.8.2 inclusive.

CVE-2022-0489

CVE-2022-0489 "Denial of Service via user comments" is a minor severity issue and can affect all new versions starting from 8.15.

For more information about vulnerabilities, see the original GitLab report.

Description of vulnerabilities:

Impact on Yandex Cloud services

Yandex Compute Cloud

A GitLab image for Yandex Compute Cloud in Yandex Cloud Marketplace was updated to the latest version.

All Yandex Compute Cloud users who have used GitLab images from Cloud Marketplace or their own images are potentially vulnerable. These users need to reinstall the system from the current Cloud Marketplace image or upgrade their GitLab version to the latest one by following the official instructions.
If you can't upgrade the GitLab version, take compensatory measures.

Notifications with update recommendations were sent to all users who are using a deprecated GitLab image from Cloud Marketplace.

Yandex Managed Service for GitLab

For users of Managed Service for GitLab, which is now being tested in Yandex Cloud, we already updated current and upcoming instances to the latest version.

All Yandex Managed Service for GitLab users have been sent notification.

Compensatory measures

If you can't update now, you can temporarily fix the vulnerability using the hotpatch.

28/01/2022: CVE-2022-0185: Heap overflow bug in legacy_parse_param

Description

Vulnerability CVE-2022-0185 is found in Linux kernel versions from 5.1-rc1, in the file system context functionality. An attacker may use this to cause a denial of service (system crash), execute arbitrary code, and go out of container bounds.

For a detailed description of the vulnerability, see this article.

Vulnerability description: CVE-2022-0185.

CVSS score: 7.8.

Impact

General impact

This vulnerability affects Linux Kernel systems around the world that run kernel versions 5.1-rc1 to 5.16.

Impact on Yandex Cloud services

Yandex Cloud updated its services:

  • Yandex Cloud Marketplace.
  • Yandex Cloud internal infrastructure.

We are preparing updates for Yandex Managed Service for Kubernetes.

Compensatory measures

If you are using a cloud node group in Yandex Managed Service for Kubernetes, wait for the official update for the service and apply it. Alternatively, update the OS independently.

You can also take the compensatory measures:

  • Use a daemonset fix for this vulnerability from yc-solution-library-for-security. It sets the settings according to Ubuntu recommendations.
  • Follow the official update or vulnerability compensation guidelines for your Linux distribution. For example, set sysctl -w kernel.unprivileged_userns_clone=0 for Ubuntu.
  • Use seccomp in Kubernetes as described in this article.
  • Do not assign redundant capabilities and use the k8s security section from our checklist for monitoring them.

28/01/2022: CVE-2021-4034: Polkit's pkexec

Description

Vulnerability CVE-2021-4034 is found in all versions of Unix-like operating systems. The PolicyKit pkexec tool incorrectly handles command-line arguments. An attacker may use this pkexec behavior to escalate privileges to an administrator.

For a detailed description of the vulnerability, see this article.

Vulnerability description: CVE-2021-4034.

CVSS score: 7.8.

Impact

General impact

The vulnerability affects all the Unix-like operating systems running any policykit-1 (0.105) version lower than specified in the article. See here for Ubuntu.

Impact on Yandex Cloud services

Yandex Cloud updated its services:

  • Yandex Cloud Marketplace.
  • Yandex Cloud internal infrastructure.

We are preparing updates for Yandex Managed Service for Kubernetes.

Compensatory measures

If you are using a cloud-based node group in Yandex Managed Service for Kubernetes, wait for the official update for the service and apply it. Alternatively, update the OS independently.

You can also take the compensatory measures:

  • Use a daemonset fix for this vulnerability from yc-solution-library-for-security. It sets the settings according to Ubuntu recommendations.

  • Follow the official update or vulnerability compensation guidelines for images from Yandex Cloud Marketplace or your own images in Yandex Compute Cloud. For example, set access rights for Ubuntu: chmod 0755 /usr/bin/pkexec.

29/12/2021: CVE-2021-45105, CVE-2021-44832: Denial of service and remote code execution (Log4j)

Description

Vulnerability CVE-2021-45105 is found in Apache Log4j versions 2.0-alpha through 2.16.0, excluding 2.12.3. The versions do not protect from uncontrolled recursion from self-referential lookups. This may result in a StackOverflowError and a DoS attack.

Vulnerability CVE-2021-44832 is found in Apache Log4j versions 2.0-beta7 through 2.17.0, excluding security fix releases 2.3.2 and 2.12.4. The versions are vulnerable to a remote code execution (RCE) attack where an attacker has permission to modify the logging configuration file.

Original report from logging.apache.org.

Vulnerability description: CVE-2021-45105 and CVE-2021-44832.

CVSS rating:

  • CVE-2021-45105 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2021-44832 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Impact

General impact

The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as: Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, etc.

For a complete list of software affected by the vulnerability, see:

  • https://github.com/NCSC-NL/log4shell/tree/main/software
  • https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Impact on Yandex Cloud services

Vulnerable versions of the library are not used in Yandex Cloud services.

Compensatory measures

If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.

Log4j 1.x

Log4j 1.x is not affected by the vulnerability.

Log4j 2.x

  • Java 6: Upgrade to Log4j 2.3.2.
  • Java 7: Upgrade to Log4j 2.12.4.
  • Java 8 (and later): Upgrade to Log4j 2.17.1.
  • If you cannot upgrade the library now, make sure that the JDBC Appender is not configured to use any protocol other than Java.

Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not affected by this vulnerability.

Also note that Apache Log4j is the only Logging Services subproject impacted by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this vulnerability.

Source: https://logging.apache.org/log4j/2.x/security.html

You can also use the following tools to scan your infrastructure for the log4j vulnerability:

  • https://github.com/google/log4jscanner
  • https://github.com/bi-zone/Log4j_Detector

17/12/2021: CVE-2021-45046: Remote code execution (Log4j)

Description

Vulnerability CVE-2021-45046 is found in Apache Log4j versions 2.0-beta9 through 2.15.0, excluding 2.12.2.

It was found that the fix to address the CVE-2021-44228 vulnerability in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Attackers can craft malicious input data using a JNDI Lookup pattern. This may result in an information leak and remote and local code execution.

A detailed description of the exploit and this behavior is provided in a Lunasec article.

Original report from logging.apache.org.

Vulnerability description: CVE-2021-45046.

CVSSv3.1 rating: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Impact

General impact

The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as: Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, etc.

For a complete list of software affected by the vulnerability, see:

  • https://github.com/NCSC-NL/log4shell/tree/main/software
  • https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

Impact on Yandex Cloud services

Services that used the Yandex Managed Service for Elasticsearch library, Yandex Data Processing, and a number of basic platform services were successfully updated.

Yandex Cloud has collected information on users that have utilized these services. Appropriate alerts have gone out.

Compensatory measures

If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.

Log4j 1.x

Log4j 1.x is not affected by the vulnerability.

Log4j 2.x

  • Java 8 (and later): Upgrade to Log4j 2.16.0.
  • Java 7: Upgrade to Log4j 2.12.2.
  • If you cannot upgrade the library now, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.

Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-api JAR file without log4j-core JAR are not affected.

Source: https://logging.apache.org/log4j/2.x/security.html

10/12/2021: CVE-2021-44228: Remote code execution (Log4Shell, Apache Log4j)

Updated on 22.12.2021

Description

Vulnerability CVE-2021-44228 is found in the Apache Log4j library, version 2.14.1 and lower.

A zero-day exploit was discovered that results in remote code execution (RCE) by having a certain line entered into a log.

An attacker with control over log messages or log message parameters can run any code downloaded from LDAP servers provided message lookup substitution is on. Starting with log4j version 2.15.0, this behavior is disabled by default.

A detailed description of the exploit and this behavior is provided in a Lunasec article.

Original report from logging.apache.org: Fixed in Log4j 2.15.0.

Vulnerability description: CVE-2021-44228.

CVSSv3.1 rating: 10.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

Learn more at: https://www.securitylab.ru/vulnerability/527362.php

Impact

General impact

  1. The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as: Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, etc.

  2. The vulnerability affects such open-source products such as ElasticSearch, Elastic Logstash, the NSA’s Ghidra, etc.

  3. Hystax products are vulnerable because they use a vulnerable version of Elasticsearch Logstash.
    Hystax is working on new product releases to address the vulnerability.

Impact on Yandex Cloud services

Services that used the Yandex Managed Service for Elasticsearch library, Yandex Data Processing, and a number of basic platform services were successfully updated.

Yandex Cloud has collected information on users that have utilized these services. Appropriate alerts have gone out.

Compensatory measures

If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.

Log4j 1.x

Since Log4j 1.x does not support Lookups, the overall risk of exploiting the vulnerability for applications using Log4j 1.x is low.

Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI. In this case, make sure your configuration is not using JMSAppender.

Log4j 2.x

  • Java 8 (and later): Upgrade to Log4j 2.16.0.
  • Java 7: Upgrade to release Log4j 2.12.2 as soon as it is available.
  • If you cannot upgrade the library now, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-api JAR file without log4j-core JAR are not affected.

Source: https://logging.apache.org/log4j/2.x/security.html

Hystax

Hystax Acura Controller: allow ingress traffic for UDP port 12201 only for a list of source IP ranges with replication agents deployed.

If you placed Hystax Acura Controller behind a network load balancer in your infrastructure, apply the above firewall rule to the respective load balancer.

12/11/2021: CVE-2021-22205: Remote code execution via a vulnerability in GitLab

Description

In GitLab versions starting 11.9, a security issue was discovered, which resulted in a remote command execution. An attack may be carried out by sending two requests that require no authentication.

The vulnerability is caused by not properly validating uploaded image files by an external file parser using the ExifTool library (CVE-2021-22204).

The issue is fixed in GitLab versions 13.10.3, 13.9.6, and 13.8.8.

Impact on Yandex Cloud services

A GitLab image in Yandex Cloud Marketplace was updated to the latest version.

Notifications with update recommendations were sent to all users using a deprecated GitLab image.

Yandex Managed Service for GitLab users were not affected by the vulnerability, since the service uses the current GitLab version.

Compensatory measures

If you are using a deprecated GitLab image from Yandex Cloud Marketplace or a custom image, update it to the latest version. If for some reason you cannot update the GitLab version, use a hotpatch.

More information

12/10/2021: CVE-2021-25741: Risk of accessing a host's file system

Description

A security issue was discovered in Kubernetes, which allows unauthorized access to a node's filesystem when a user logs in to a cluster.

Impact on Yandex Cloud services

Yandex Managed Service for Kubernetes does not provide anonymous cluster access and is not affected by the vulnerability from an external attacker.

Compensatory measures

To remove the attack vector from an internal attacker, update all existing service clusters and node groups to version 1.19 or higher. If your clusters and node groups are already updated to version 1.19 or higher, update the revisions. An update that fixes the bug is available in all release channels.

We also recommend that you:

  • Automatically update your clusters and node groups to the latest versions or revisions.
  • Schedule manual updates at least once a month if you cannot apply automatic updates.
  • Disable running pods as root for untrusted uploads.

To do this, you can use the following tools:

More information

A checklist for a secure Kubernetes configuration is available here.

03/03/2021: CVE-2021-21309: Remote code execution via a vulnerability in Valkey™

Description

In 32-bit Valkey™ versions 4.0 and higher, an integer overflow vulnerability was discovered, which, under certain conditions, may lead to a remote code execution.

Impact on Yandex Cloud services

Yandex Managed Service for Redis uses a 64-bit Valkey™ version and is not affected by the vulnerability.

26/01/2021: CVE-2021-3156: Privilege escalation through vulnerabilities in sudo.

Description

A number of CVE-2021-3156 vulnerabilities were discovered in sudo. They allow attackers to escalate privileges to root.

Impact on Yandex Cloud services

The following Linux OS images were updated:

  • All images from the Yandex Cloud publisher available in Cloud Marketplace.
  • A Container Optimized Image.
  • An image that is used to create Managed Service for Kubernetes nodes.
  • Images that are used to create managed database clusters.
  • An image that is used to create Yandex Data Processing clusters.

More information

24/12/2020: CVE-2020-25695: Privilege escalation in PostgreSQL

Description

The CVE-2020-25695 vulnerability was discovered in the PostgreSQL database management system, which allows an attacker having permission to create non-temporary objects to execute arbitrary SQL queries under the identity of a superuser.

Impact on Yandex Cloud services

All PostgreSQL instances used in Yandex Managed Service for PostgreSQL were updated.

19/11/2020: Discontinue support for deprecated TLS protocols

Description

To make data transmission more secure, Yandex Cloud recommends that all users switch to technologies that provide encryption via TLS 1.2 and higher.

Impact on Yandex Cloud services

All Yandex Cloud services support TLS 1.2 and higher. Legacy protocols will gradually be discontinued. We recommend that you upgrade your applications to the latest TLS versions in advance.

20/09/2020: CVE-2020-1472 (aka Zerologon)

Description

A Windows Netlogon Remote Protocol vulnerability that allows an unauthenticated attacker with network access permissions to a domain controller to compromise all Active Directory identification services.

Original report from Secura: Zerologon.

Vulnerability description by Microsoft: CVE-2020-1472.

Change management guide from Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.

Impact on Yandex Cloud services

OS images available to Yandex Compute Cloud users already contain updates that fix the vulnerability. All VMs created in Yandex Compute Cloud after the issue was reported are protected against the described attack.

Compensatory measures

In addition to the updates, to restrict access to your domain controller from untrusted networks, use the following network access control systems:

  • Windows Firewall or security groups.
  • Moving the domain controller behind a NAT gateway.

15/06/2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)

Description

On certain Intel CPU models, VUSec detected a new attack called Special Register Buffer Data Sampling Attack (or CrossTalk). During this attack, a malicious process can get the results returned by the RDRAND and RDSEED instructions from another process, even when the malicious and legitimate processes run on different physical CPU cores. The attack is assigned the ID CVE-2020-0543.

Report from Intel: Deep Dive: Special Register Buffer Data Sampling.

Impact on Yandex Cloud services

Yandex Cloud uses CPU models that are not vulnerable to CrossTalk attacks.

28.08.2019: TCP SACK

Description

Netflix experts found three vulnerabilities in the Linux kernel:

Original report from Netflix: NFLX-2019-001.

Vulnerability analysis from Red Hat: TCP SACK PANIC.

Impact on Yandex Cloud services

  • The Yandex Cloud infrastructure was promptly protected and updated.
  • The OS images available to Yandex Compute Cloud users were updated as soon as the appropriate fixes became available. Therefore, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.

19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List

Description

List of domains included in Public Suffix List:

  • yandexcloud.net
  • storage.yandexcloud.net
  • website.yandexcloud.net

Domains in the Public Suffix List get the properties of top-level domains, such as .ru or .com:

  • Browsers will not save the cookies set for the listed domains.
  • Browsers will not allow you to change the page's Origin request header to root domains.

Impact on Yandex Cloud services

These changes will improve security for Yandex Cloud users.

Previous
User support policy during vulnerability scanning
Next
Public IP address ranges