Security bulletins
- 06/03/2024: CVE-2024-21626: runc process.cwd and leaked fds container breakout
- 05/07/2024: CVE-2024-6387 RegreSSHion
- 06/03/2024: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library
- 06/03/2024: CVE-2023-23946: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8
- 06/03/2024: CVE-CVE-2023-22490: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8
- 28/12/2023: CVE-2023-44487 HTTP/2 Rapid Reset DDoS Attack
- 28/12/2023: CVE-2023-23583 Reptar vulnerability in Ice Lake (IPU Out-of-Band)
- 28/12/2023: CVE-2023-46850 OpenVPN v.2.6.7 Security patch
- Original report
- Summary
- Technologies affected
- Vulnerable products and versions
- Base vector and severity level of the vulnerability according to CVSS v.3.0
- Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others)
- Safe version of vulnerable product or patch
- Are cloud services affected?
- 3/11/2023: CVE-2023-5043 NGINX Ingress Controller for Kubernetes vulnerabilities
- 26/10/2023: CVE-2023-3484 GitLab Security Release: 16.1.2, 16.0.7, and 15.11.11
- 26/10/2023: CVE-2023-3424, CVE-2023-1936 GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10
- 26/10/2023: CVE-2023-2442, CVE-2023-2013 GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8
- 16/10/2023: BDU-2023-05857 Vulnerability in the landing module of the 1C-Bitrix Content Management System (CMS)
- Original report
- Summary
- Technologies affected
- Vulnerable products and versions
- Vendor
- Attack vector and severity level per CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 06/10/2023: CVE-2023-35943 CORS filter segfault when origin header is removed
- 06/10/2023: CVE-2023-35941 OAuth2 credentials exploit with permanent validity
- 03/07/2023: CVE-2023-2478 GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7
- 03/07/2023: CVE-2023-27561 Race-condition to bypass masked paths
- 03/07/2023: CVE-2023-27492 Crash when a large request body is processed in Lua filter
- 03/07/2023: CVE-2023-27491 Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers
- 03/07/2023: CVE-2022-3513 - CVE-2022-3375. GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5
- 13/04/2023: CVE-2023-26463: StrongSwan IPsec: Incorrectly Accepted Untrusted Public Key With Incorrect Refcount
- 13/04/2023: CVE-2023-0286: OpenSSL Security Advisory 7/02/2023
- 22/02/2023: CVE-2022-3602, CVE-2022-3786: OpenSSL Security release v.3.0.7
- 07/02/2023: CVE-2022-3411, CVE-2022-4138, CVE-2022-3759, CVE-2023-0518,: GitLab Security Release: 15.8.1, 15.7.6, 15.6.7
- 02/02/2022, CVE-2022-41903 and CVE-2022-23521: GitLab Critical Security Release: 15.7.5, 15.6.6, 15.5.9
- 26/12/2022: CVE-2022-47940: KSMBD FS/KSMBD/SMB2PDU.C SMB2_WRITE
- 06/12/2022: CVE-2022-28228: Out-of-bounds reads in YDB servers
- 03/11/2022: CVE-2022-42889: Text4Shell
- 01/09/2022: CVE-2022-2992: GitLab Critical Security Release: 15.3.2, 15.2.4, and 15.1.6
- Original report
- Brief description
- Technologies affected
- Vulnerable products and versions
- Vendor
- Attack vector and severity level per CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 31/08/2022: CVE-2020-8561: Redirecting Kubernetes API server requests
- Original report
- Summary
- Technologies affected
- Vulnerable products and versions
- Vendor
- Attack vector and severity level per CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 25/08/2022: CVE-2022-2884: Remote Command Execution via GitHub import in GitLab
- Original report
- Summary
- Technologies affected
- Vulnerable products and versions
- Vendor
- Attack vector and severity level per CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of the vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 04/07/2022: CVE-2022-27228: Vulnerability of "vote" module in CMS 1C-Bitrix
- Original report
- Brief description
- Technologies affected
- Vulnerable products and versions
- Vendor
- Attack vector and severity level per CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 22/06/2022: CVE-2022-1680: GitLab account takover, critical vulnerability
- 15/06/2022: CVE-2021-25748: Ingress-nginx. Path sanitization bypass
- Original report
- Brief description
- Involved technologies
- Affected products and versions
- Vendor
- Attack vector and severity level according to CVSS v.3.0
- Recommendations for vulnerability detection and supporting materials
- Safe version of the vulnerable product or patch
- Compensatory measures for Yandex Cloud users
- Impact on Yandex Cloud services
- 29/04/2022: CVE-2022-24735, CVE-2022-24736: Redis
- 06/04/2022: CVE-2022-1162: GitLab Critical Security Release
- 18/03/2022: CVE-2022-0811: cr8escape
- 09/03/2022: CVE-2022-0847: Dirty Pipe
- 28/02/2022: CVE-2022-0735 (token disclosure), CVE-2022-0549, CVE-2022-0751, CVE-2022-0741, CVE-2021-4191, CVE-2022-0738, CVE-2022-0489: Multiple GitLab vulnerabilities
- 28/01/2022: CVE-2022-0185: Heap overflow bug in legacy_parse_param
- 28/01/2022: CVE-2021-4034: Polkit's pkexec
- 29/12/2021: CVE-2021-45105, CVE-2021-44832: Denial of service and remote code execution (Log4j)
- 17/12/2021: CVE-2021-45046: Remote code execution (Log4j)
- 10/12/2021: CVE-2021-44228: Remote code execution (Log4Shell, Apache Log4j)
- 12/11/2021: CVE-2021-22205: Remote code execution via a vulnerability in GitLab
- 12/10/2021: CVE-2021-25741: Risk of accessing a host's filesystem
- 03/03/2021: CVE-2021-21309: Remote code execution via a vulnerability in Valkey™
- 26/01/2021: CVE-2021-3156: Privilege escalation through vulnerabilities in sudo.
- 24/12/2020: CVE-2020-25695: Privilege escalation in PostgreSQL
- 19/11/2020: Discontinue support for deprecated TLS protocols
- 20/09/2020: CVE-2020-1472 (aka Zerologon)
- 15/06/2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)
- 28.08.2019: TCP SACK
- 19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List
This page contains security recommendations from Yandex Cloud experts.
06/03/2024: CVE-2024-21626: runc process.cwd and leaked fds container breakout
CVE ID: CVE-2024-21626
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2023-23919
Original report
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
Summary
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec
) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem («attack 2»). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run
«attack 1»). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes («attack 3a» and «attack 3b»).
runc 1.1.12 includes patches for this issue.
Technologies affected
runc
Vulnerable products and versions
From v1.0.0 before v1.1.11
Attack vector and severity level per CVSS v.3.0
7.5 High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
Public exploits:
Safe version of vulnerable product or patch
The vulnerability has been fixed as of version 1.1.12.
Are cloud services affected?
We updated current and upcoming images that use runc
to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
05/07/2024: CVE-2024-6387 RegreSSHion
CVE ID: CVE-2024-6387
CVE link: https://www.cve.org/CVERecord?id=CVE-2024-6387
Original report
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Summary
The vulnerability lies in the race condition that appears on the OpenSSH server (sshd), which sometimes enables running remote code without authentication (RCE) under the root
username in glibc
-based Linux systems. This poses a significant threat to security. It takes at least six hours for the attacker to exploit this issue.
Technologies affected
openssh-server
Vulnerable products and versions
openssh-server
before4.4p1
openssh-server
from8.5p1
to9.8p1
Vendor
OpenBSD Project
Attack vector and severity level as per CVSS v.3.0
Base score: 8.1 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
As a workaround, set LoginGraceTime
to 0
in /etc/ssh/sshd_config
. This will prevent the exploit, although will potentially allow DDoS attacks on the server.
See also: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
Safe version of vulnerable product or patch
Learn which openssh-server
version you are currently using by running the dpkg -l openssh-server
command. If your version is vulnerable, update your package to 9.8p1
or higher.
How it impacts Yandex Cloud services
We updated VM basic images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
We checked for the presence of vulnerable internal Yandex Cloud services.
06/03/2024: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library
CVE ID: CVE-2023-23919
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-23919
Original report
https://hackerone.com/reports/1808596
Summary
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
Technologies affected
Node.js. Affects OpenSSL
Vulnerable products and versions
Node.js <= ver. 19.2.0, 18.14.1, 16.19.1, 14.21.3
Vendor
OpenJS Foundation
Attack vector and severity level per CVSS v.3.0
Base Score: 7.5
HIGHVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Recommendations for vulnerability detection and supporting materials
- https://hackerone.com/reports/1808596
- https://github.com/nodejs/node/pull/45495
- https://github.com/nodejs/node/pull/45377
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
Safe version of vulnerable product or patch
Recent releases Node.js and OpenSSL already contain fixes for this error.
Impact on Yandex Cloud services
We have compiled and implemented an up-to-date Node.js in the images. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
06/03/2024: CVE-2023-23946: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8
CVE ID: CVE-2023-23946
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-23946
Original report
- https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
- https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
- https://github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q
Summary
Multiple vulnerabilities. The full list:
https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE < 15.8.2, 15.7.7, and 15.6.8
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
Base Score: 6.2.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
Safe version of vulnerable product or patch
Vulnerabilities have been fixed in versions 115.8.2, 15.7.7 and 15.6.8
Impact on Yandex Cloud services
For the convenience of users of the Yandex Managed Service for GitLab, we have already updated existing and future instances to the latest version. If you are using an image on a VM, it is recommended that you update it yourself.
06/03/2024: CVE-CVE-2023-22490: GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8
CVE ID: CVE-CVE-2023-22490
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-CVE-2023-22490
Original report
- https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
- https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
- https://github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q
Summary
Multiple vulnerabilities. The full list:
https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE < 15.8.2, 15.7.7, and 15.6.8
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVE-2023-22490
Base Score: 5.5. CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/02/14/critical-security-release-gitlab-15-8-2-released/
Safe version of vulnerable product or patch
Vulnerabilities have been fixed in versions 115.8.2, 15.7.7 and 15.6.8
Impact on Yandex Cloud services
For the convenience of users of the Yandex Managed Service for GitLab, we have already updated existing and future instances to the latest version. If you are using an image on a VM, it is recommended that you update it yourself.
28/12/2023: CVE-2023-44487 HTTP/2 Rapid Reset DDoS Attack
CVE ID: CVE-2023-44487
CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Original report
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
Summary
Yandex Cloud has implemented all necessary measures against CVE-2023-44487 known as HTTP/2 Rapid Reset.
This vulnerability is related to the HTTP/2 protocol. Under certain conditions, can be exploited to execute a denial-of-service attack on webservers such as NGINX, envoy and other products that implement the server-side portion of the HTTP/2 specification. To protect your systems from this attack, we’re recommending an immediate update to your web server.
Technologies affected
NGINX, HTTP/2
Vulnerable products and versions
- NGINX Open Source 1.x: 1.25.2 - 1.9.5
- org.apache.tomcat.embed:tomcat-embed-core package, versions [,8.5.94], [9.0.0,9.0.81], [10.0.0,10.1.14], [11.0.0-M3,11.0.0-M12]
- NGINX Ingress Controller
- 3.x 3.0.0 - 3.3.0 3.3.1
- 2.x 2.0.0 - 2.4.2
- 1.x 1.12.2 - 1.12.5
- Envoy 1.27.1, 1.26.5, 1.25.10 or 1.24.10
- NGINX Plus R2x R25 - R30
- BIG-IP (all modules) 17.x 17.1.0
- BIG-IP Next (all modules) 20.x 20.0.1
- BIG-IP Next SPK 1.x 1.5.0 - 1.8.2
- https://my.f5.com/manage/s/article/K000137106
Base vector and severity level of the vulnerability according to CVSS v.3.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Recommendations for vulnerability detection and additional materials
Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others):
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76
https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-5953331
Update or patch version:
-
Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.
-
Upgrade envoyproxy/envoy to version 1.24.11, 1.25.10, 1.26.5, 1.27.1 or higher.
-
Use http2_max_concurrent_streams directive NGINX
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
Safe version of vulnerable product or patch
Not yet.
Are cloud services affected?
No.
28/12/2023: CVE-2023-23583 Reptar vulnerability in Ice Lake (IPU Out-of-Band)
CVE ID: CVE-2023-23583
CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2023-5043
Summary
The Reptar vulnerability affects Intel-based server systems, and the manufacturer has released the necessary patches. The Yandex Cloud infrastructure has been updated.
The vulnerability potentially led to privilege escalation.
Technologies affected
Intel (microcode)
Vulnerable products and versions
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
Base vector and severity level of the vulnerability according to CVSS v.3.0
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Recommendations for vulnerability detection and additional materials
Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others):
https://lock.cmpxchg8b.com/reptar.html
Update or patch version:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
Safe version of vulnerable product or patch
The vulnerability has been fixed as of version 1.9.0.
Are cloud services affected?
No.
28/12/2023: CVE-2023-46850 OpenVPN v.2.6.7 Security patch
CVE IDs: CVE-2023-46849, CVE-2023-46850
CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2023-46849
https://nvd.nist.gov/vuln/detail/CVE-2023-46850
Original report
https://openvpn.net/community-downloads/
Summary
CVE-2023-46850: it can lead to sending the contents of the process memory to the other side of the connection, as well as potentially to remote code execution.
CVE-2023-46849: this may lead to the remote initiation of an emergency shutdown of the access server.
Technologies affected
OpenVPN
Vulnerable products and versions
From v2.6.0 before v2.6.6
Base vector and severity level of the vulnerability according to CVSS v.3.0
Network.
Procedure for checking the vulnerability and supporting materials (PoC code, video demonstration or others)
No PoC yet.
Safe version of vulnerable product or patch
The vulnerability has been fixed as of version 2.6.7.
Are cloud services affected?
Yes.
3/11/2023: CVE-2023-5043 NGINX Ingress Controller for Kubernetes vulnerabilities
CVE IDs: CVE-2023-5043, CVE-2023-5044, CVE-2022-4886
CVE links:
https://nvd.nist.gov/vuln/detail/CVE-2023-5043
https://nvd.nist.gov/vuln/detail/CVE-2023-5044
https://nvd.nist.gov/vuln/detail/CVE-2022-4886
Original report
https://github.com/kubernetes/ingress-nginx/issues/10571
https://github.com/kubernetes/ingress-nginx/issues/10572
https://github.com/kubernetes/ingress-nginx/issues/10570
Summary
The first two vulnerabilities, CVE-2023-5043 and CVE-2023-5044, are related to insufficiently checking input data, which may lead to adding malicious code, taking control of privileged credentials, and stealing all cluster's secrets. Both issues have 7.60/10 vulnerability score as per the CVSS.
The CVE-2022-4886 vulnerability has higher score, 8.80 as per the CVSS. This issue can be exploited when creating or updating Ingress objects. The attackers may get access to the Kubernetes API credentials from Ingress Controller and, consequently, steal all cluster's secrets. This vulnerability affects version 1.8.0 and lower.
Technologies affected
NGINX
Vulnerable products and versions
NGINX: Up to version 1.9.0
Recommendations for vulnerability detection and additional materials
Here is what we recommend in order to avoid exploiting these vulnerabilities:
-
Update NGINX Ingress Controller to 1.9.0; this version has annotation validation, while the custom snippets are disabled by default.
-
Add the
--enable-annotation-validation
argument to the controller startup options. -
Add the
strict-validate-path-type
option toConfigmap
. -
Use a policy engine, such as Kyverno, to validate the paths used in the Ingress rules. You can find this ready-to-use policy
on the Kyverno website.
Safe version of vulnerable product or patch
The vulnerability has been fixed as of version 1.9.0.
How it impacts Yandex Cloud services
These vulnerabilities are irrelevant when using Yandex Cloud ALB Ingress Controller, as it is based on different technologies and does not have any annotations or settings that may lead to such vulnerabilities.
26/10/2023: CVE-2023-3484 GitLab Security Release: 16.1.2, 16.0.7, and 15.11.11
CVE ID: CVE-2023-3484
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-3484
Original report
https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/
Summary
GitLab closed CVE-2023-3484.
An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations.
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE, versions prior to 16.1.2, 16.0.7, and 15.11.11
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVSS score: 3.1 to 6.1
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/
Safe version of vulnerable product or patch
Vulnerability resolved in GitLab CE/EE versions starting from 16.1.2, 16.0.7, and 15.11.11
Impact on Yandex Cloud services
We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
26/10/2023: CVE-2023-3424, CVE-2023-1936 GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10
CVE ID: CVE-2023-3424 - CVE-2023-1936
Link to CVE: https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/
Original report
https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/
Summary
GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:
https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE, versions prior to 16.1.1, 16.0.6, and 15.11.10
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVSS score: 3.5 to 7.5
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/
Safe version of vulnerable product or patch
Vulnerability resolved in GitLab CE/EE versions starting from 16.1.1, 16.0.6, and 15.11.10
Impact on Yandex Cloud services
We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
26/10/2023: CVE-2023-2442, CVE-2023-2013 GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8
CVE ID: CVE-2023-2442 - CVE-2022-2013
Link to CVE: https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/
Original report
https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/
Summary
GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:
https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE, versions prior to 16.0.2, 15.11.7, and 15.10.8
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVSS score: 2.6 to 8.7
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/
Safe version of vulnerable product or patch
Vulnerability resolved in GitLab CE/EE versions starting from 16.0.2, 15.11.7, and 15.10.8
Impact on Yandex Cloud services
We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
16/10/2023: BDU-2023-05857 Vulnerability in the landing module of the 1C-Bitrix Content Management System (CMS)
CVE ID: BDU:2023-05857
Link to CVE: https://bdu.fstec.ru/vul/2023-05857
Original report
https://bdu.fstec.ru/vul/2023-05857
Summary
The vulnerability in the landing module of the 1C-Bitrix Content Management System (CMS) is caused by synchronization errors when using a shared resource. By exploiting this vulnerability, a remote attacker might execute OS commands on a compromised node, gain control over resources, and penetrate the internal network.
Technologies affected
1C-Bitrix: Site management
Vulnerable products and versions
Up to 23.850.0
Vendor
1C-Bitrix LLC
Attack vector and severity level per CVSS v.3.0
CVSS score: 10. Attack vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
- https://dev.1c-bitrix.ru/docs/versions.php?lang=ru&module=landing
- https://www.bitrix24.ru/features/box/box-versions.php?module=landing
- https://www.bitrix24.com/features/box/box-versions.php
- https://www.bitrix24.com/features/box/box-versions.php?module=landing
- https://safe-surf.ru/upload/VULN-new/VULN.2023-09-21.1.pdf
Safe version of vulnerable product or patch
Landing version 23.850.0 and higher.
Compensatory measures for Yandex Cloud users
Update the software product to landing version 23.850.0 or higher.
Impact on Yandex Cloud services
We updated current and upcoming images to the latest version. Check your current software version and update it if needed. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
06/10/2023: CVE-2023-35943 CORS filter segfault when origin header is removed
CVE ID: CVE-2023-35943
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-35943
Original report
https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq
Summary
Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, the CORS filter would segfault and crash Envoy when the origin
header was removed and deleted between decodeHeaders
and encodeHeaders
. The issue is fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Technologies affected
Envoy
Vulnerable products and versions
Envoy, versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Vendor
Envoy
Attack vector and severity level per CVSS v.3.0
CVSS score: 7.5. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Recommendations for vulnerability detection and supporting materials
We recommend updating to the latest version. If it is not possible, do not remove the origin
header in the Envoy configuration.
Safe version of vulnerable product or patch
Vulnerability fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Impact on Yandex Cloud services
We updated current and upcoming images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
06/10/2023: CVE-2023-35941 OAuth2 credentials exploit with permanent validity
CVE ID: CVE-2023-35941
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-35941
Original report
https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55
Summary
Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, malicious clients could construct OAuth2 credentials with permanent validity. This was caused by some rare scenarios when a HMAC payload could be always valid in the OAuth2 filter's check. As a workaround, avoid wildcards/prefix domain wildcards in the host domain configuration.
Technologies affected
Envoy
Vulnerable products and versions
Envoy, versions prior to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Vendor
Envoy
Attack vector and severity level per CVSS v.3.0
CVSS score: 9.8. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
We recommend updating to the latest version. If it is not possible, do not use wildcards/prefix domain wildcards in the host domain configuration.
Safe version of vulnerable product or patch
Vulnerability fixed in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12.
Impact on Yandex Cloud services
We updated current and upcoming images to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
03/07/2023: CVE-2023-2478 GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7
CVE ID: CVE-2023-2478
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-2478
Original report
Summary
Gitlab fixed CVE-2023-2478.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, starting from 15.10 before 15.10.6, and starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious GitLab runner to any project.
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE versions prior to 15.11.2, 15.10.6, and 15.9.7.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVSS score: 9.6. Attack vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Recommendations for vulnerability detection and supporting materials
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.11.2, 15.10.6, and 15.9.7.
Impact on Yandex Cloud services
We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
03/07/2023: CVE-2023-27561 Race-condition to bypass masked paths
CVE ID: CVE-2023-27561
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27561
Original report
https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
Summary
Prior to version 1.1.4, runc
has incorrect access control settings that lead to privilege escalation related to libcontainer/rootfs_linux.go
. To exploit the vulnerability, an attacker should be able to create two containers with custom mount volume configurations and run custom images.
Technologies affected
Linux kernel (runc)
Vulnerable products and versions
Runc
prior to version 1.1.5.
Vendor
Linux kernel
Attack vector and severity level per CVSS v.3.0
CVSS score: 7.0. Attack vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
We recommend updating to the latest version.
- https://www.opencve.io/cve/CVE-2023-27561
- https://nvd.nist.gov/vuln/detail/CVE-2023-27561
- https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
- https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334
- https://github.com/opencontainers/runc/issues/3751
Safe version of vulnerable product or patch
The vulnerability has been fixed as of version 1.1.5.
Impact on Yandex Cloud services
We updated current and upcoming images that use runc
to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
03/07/2023: CVE-2023-27492 Crash when a large request body is processed in Lua filter
CVE ID: CVE-2023-27492
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27492
Original report
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2
Summary
Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter was vulnerable to denial of service. Attackers can send large request bodies for routes with the Lua filter enabled and trigger crashes. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset.
Technologies affected
Envoy
Vulnerable products and versions
Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
Vendor
Envoy
Attack vector and severity level per CVSS v.3.0
CVSS score: 6.5. Attack vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Recommendations for vulnerability detection and supporting materials
Update to the latest version.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2
Safe version of vulnerable product or patch
Vulnerability resolved in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
Impact on Yandex Cloud services
We updated the component used in our services to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
03/07/2023: CVE-2023-27491 Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers
CVE ID: CVE-2023-27491
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-27491
Original report
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp
Summary
HTTP/1 compatible service must reject incorrectly generated request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, invalid HTTP/1 service might allow incorrect requests to be executed, which could help attackers bypass security policies.
Technologies affected
Envoy
Vulnerable products and versions
Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
Vendor
Envoy
Attack vector and severity level per CVSS v.3.0
CVSS score: 9.1. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Recommendations for vulnerability detection and supporting materials
Update to the latest version.
- https://datatracker.ietf.org/doc/html/rfc9113#section-8.3
- https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp
- https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2
Safe version of vulnerable product or patch
Vulnerability resolved in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9.
Impact on Yandex Cloud services
We updated the component used in our services to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
03/07/2023: CVE-2022-3513 - CVE-2022-3375. GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5
CVE ID: CVE-2022-3513 - CVE-2022-3375
Link to CVE: https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
Original report
https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
Summary
GitLab issued a security release that fixes multiple vulnerabilities. View the complete list here:
https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE versions prior to 15.10.1, 15.9.4, and 15.8.5.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
CVSS score: 3.1 to 6.1.
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.10.1, 15.9.4, and 15.8.5.
Impact on Yandex Cloud services
We updated current and upcoming images and upcoming Managed Service for GitLab instances to the latest version. If you are using a custom image on your VMs and it is vulnerable, we recommend that you update it on your own.
13/04/2023: CVE-2023-26463: StrongSwan IPsec: Incorrectly Accepted Untrusted Public Key With Incorrect Refcount
CVE ID: CVE-2023-26463
Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26463
Original report
https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html
Summary
The TLS implementation in libtls
incorrectly treats the public key from the peer's certificate as trusted, even if the certificate cannot be verified successfully. However, the public key does not have the correct reference count either, which then causes a dereference of an expired pointer. This commonly leads to a segmentation fault and a denial of service; however, the information exposure or code execution might still be possible.
An attacker is able to trigger this issue by sending a self-signed (or otherwise untrusted) certificate to a server that authenticates clients with a TLS-based EAP method, such as EAP-TLS. Clients may be similarly vulnerable to attackers that send them a request for such an EAP method followed by an untrusted server certificate. Affected versions: StrongSwan 5.9.8 and 5.9.9.
Technologies affected
StrongSwan IPsec
Vulnerable products and versions
StrongSwan IPsec prior to 5.9.10
Vendor
StrongSwan IPsec
Attack vector and severity level per CVSS v.3.0
Not rated as of 29/03/2023.
Recommendations for vulnerability detection and supporting materials
- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html
- https://www.opennet.ru/opennews/art.shtml?num=58736
Servers that do not load plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC) are not vulnerable. If these plugins are loaded, they must not be used as a remote authentication method. You should not use the eap-dynamic
plugin either, since it allows clients to choose their preferred EAP method. Servers that use TLS-based methods via the eap-radius
plugin and only configure that as a remote authentication method are also not vulnerable.
Safe version of vulnerable product or patch
StrongSwan IPsec starting with version 5.9.10.
Impact on Yandex Cloud services
The StrongSwan IPsec image in Yandex Cloud Marketplace is not vulnerable according to https://ubuntu.com/security/CVE-2023-26463
13/04/2023: CVE-2023-0286: OpenSSL Security Advisory 7/02/2023
CVE ID: CVE-2023-0286
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-0286
Original report
Summary
OpenSSL issued a patch to fix some vulnerabilities, including the critical CVE-2023-0286.
Technologies affected
OpenSSL
Vulnerable products and versions
OpenSSL 1.0.2, 1.1.1, and 3.0.0-3.0.7.
Vendor
OpenSSL
Attack vector and severity level per CVSS v.3.0
Base Score: 7.4 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Recommendations for vulnerability detection and supporting materials
We recommend updating OpenSSL to the latest version.
Safe version of vulnerable product or patch
If you are using OpenSSL 3.0.0-3.0.7, upgrade to OpenSSL 3.0.8.
If you are using OpenSSL 1.1.1, upgrade to OpenSSL 1.1.1t.
If you are using OpenSSL 1.0.2, upgrade to OpenSSL 1.0.2zg.
Impact on Yandex Cloud services
We collected the latest OpenSSL versions and implemented them in the images being used. If you are using previous OS versions from Yandex Cloud Marketplace with OpenSSL 1.0.2, 1.1.1, or 3.0.0, you need to upgrade OpenSSL on your own.
22/02/2023: CVE-2022-3602, CVE-2022-3786: OpenSSL Security release v.3.0.7
CVE ID: CVE-2022-3602, CVE-2022-3786.
Links to CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
https://nvd.nist.gov/vuln/detail/CVE-2022-3786
Original report
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
https://www.openssl.org/news/secadv/20221101.txt
Summary
The OpenSSL project released a patch to fix critical buffer overflow vulnerabilities triggered by X.509 certificate verification. The CVE-2022-3602 and CVE-2022-3786 vulnerabilities were fixed in OpenSSL version 3.0.7.
Technologies affected
OpenSSL
Vulnerable products and versions
OpenSSL prior to version 3.0.7.
Vendor
OpenSSL
Attack vector and severity level per CVSS v.3.0
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Recommendations for vulnerability detection and supporting materials
If you are using OpenSSL, we recommend that you upgrade to version 3.0.7 or higher.
Safe version of vulnerable product or patch
OpenSSL starting from version 3.0.7.
Impact on Yandex Cloud services
We collected the latest OpenSSL versions and implemented them in the images being used. In cloud resources, the vulnerable component is not found among the loaded modules and installed packages.
If you are using previous OS versions from Cloud Marketplace with OpenSSL older than 3.0.7, you need to upgrade OpenSSL on your own.
07/02/2023: CVE-2022-3411, CVE-2022-4138, CVE-2022-3759, CVE-2023-0518,: GitLab Security Release: 15.8.1, 15.7.6, 15.6.7
CVE ID: CVE-2022-3411, CVE-2022-4138, CVE-2022-3759, and CVE-2023-0518.
Links to CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0518
Original report
Brief description
Multiple vulnerabilities. Complete list: https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE versions prior to 15.8.1, 15.7.6, and 15.6.7.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
6.5-4.3
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.8.1, 15.7.6, and 15.6.7.
Impact on Yandex Cloud services
For the convenience of Managed Service for GitLab users, we already updated current and upcoming instances to the latest version. If you are using images on your VMs, we recommend that you update them on your own.
02/02/2022, CVE-2022-41903 and CVE-2022-23521: GitLab Critical Security Release: 15.7.5, 15.6.6, 15.5.9
CVE ID: CVE-2022-41903 and CVE-2022-23521
Links to CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-41903
https://nvd.nist.gov/vuln/detail/CVE-2022-23521
Original report
https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
Brief description
Multiple vulnerabilities. View the complete list here: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/
Technologies affected
GitLab
Vulnerable products and versions
GitLab CE/EE versions prior to 15.7.5, 15.6.6, and 15.5.9.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
Severity level: 9.9.
Recommendations for vulnerability detection and supporting materials
https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.7.5, 15.6.6, and 15.5.9.
Impact on Yandex Cloud services
For the convenience of Managed Service for GitLab users, we already updated current and upcoming instances to the latest version. If you are using images on your VMs, we recommend that you update them on your own.
26/12/2022: CVE-2022-47940: KSMBD FS/KSMBD/SMB2PDU.C SMB2_WRITE
CVE ID: CVE-2022-47940
Link to CVE: https://ubuntu.com/security/CVE-2022-47940
Original report
https://ubuntu.com/security/CVE-2022-47940
Summary
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Linux Kernel. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of SMB2_WRITE commands. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. To be vulnerable, needs ksmbd-tools installed to enable the ksmbd service, which is not installed by default.
Technologies affected
Linux Kernel.
Vulnerable products and versions
Linux Kernel up to 5.18.17
ksmbd-tools
Vendor
ksmbd-tools
Attack vector and severity level per CVSS v.3.0
Severity level: 4.1
Recommendations for vulnerability detection and supporting materials
Safe version of vulnerable product or patch
The vulnerability is fixed as of Linux Kernel version 5.18.18.
Impact on Yandex Cloud services
The vulnerable component is not present among loaded modules and installed components in cloud services.
If you are using vulnerable OS images from Marketplace in Yandex Compute Cloud, you have to update them to secure versions yourself.
06/12/2022: CVE-2022-28228: Out-of-bounds reads in YDB servers
Updated on 08/12/2022
Vulnerability reported by: Max Arnold arnold.maxim@yandex.ru
CVE ID: CVE-2022-28228
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28228
Original report
https://ydb.tech/docs/en//security-changelog#28-11-2022
Summary
Hackers can create special requests that trigger errors. An error message can include fragments of data from another cluster. Hackers can also run a denial of service attack against clusters.
Technologies affected
Yandex Managed Service for YDB in serverless mode.
Vulnerable products and versions
All the versions below 22.4.44 have this vulnerability.
Version 22.4.44 is safe.
Vendor
Yandex
Recommendations for vulnerability detection and supporting materials
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28228
Safe version of vulnerable product or patch
Any version from 22.4.44 or higher.
Compensatory measures for Yandex Cloud users
Everything has been done at the service level, no additional action is needed.
Impact on Yandex Cloud services
Only Yandex Managed Service for YDB in the serverless mode was subject to the vulnerability. The vulnerability is closed at present: all the YDB instances were updated to the safe version.
03/11/2022: CVE-2022-42889: Text4Shell
CVE ID: CVE-2022-42889
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Original report
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Summary
The vulnerability was found in a number of Apache Commons Text library versions. Applications using default string interpolation parameters may be vulnerable to remote code execution or unintentional contact with untrusted remote servers.
Technologies affected
Apache Commons Text
Vulnerable products and versions
The vulnerability affects versions 1.5 through 1.9.
Version 1.10.0 is safe.
Vendor
Apache Software Foundation
Attack vector and severity level per CVSS v.3.0
Severity level: 9.8_Critical.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Recommendations for vulnerability detection and supporting materials
- https://infosecwriteups.com/text4shell-poc-cve-2022-42889-f6e9df41b3b7
- https://sysdig.com/blog/cve-2022-42889-text4shell/
- https://kyverno.io/policies/other/verify_image_cve-2022-42889/
Safe version of vulnerable product or patch
The vulnerability is fixed as of version 1.10.0.
Impact on Yandex Cloud services
The library has been upgraded to the safe version in Yandex Cloud services where it is used.
01/09/2022: CVE-2022-2992: GitLab Critical Security Release: 15.3.2, 15.2.4, and 15.1.6
CVE ID: CVE-2022-2992
Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2992
Original report
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
Brief description
Multiple vulnerabilities. Complete list: https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
Technologies affected
GitLab
Vulnerable products and versions
All GitLab CE/EE versions before 15.3.2, 15.2.4, and 15.1.6 are affected.
The vulnerability was fixed in versions 15.3.2, 15.2.4, and 15.1.6.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
Severity level: 9.9.
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.3.2, 15.2.4, and 15.1.6.
Compensatory measures for Yandex Cloud users
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
Impact on Yandex Cloud services
The vulnerability affects the users of Managed Service for GitLab and GitLab images from Cloud Marketplace.
All GitLab images in Managed Service for GitLab and Cloud Marketplace are being updated to safe versions.
31/08/2022: CVE-2020-8561: Redirecting Kubernetes API server requests
CVE ID: CVE-2020-8561
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-8561
Original report
https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY
Summary
In Kubernetes, a user monitoring responses to MutatingWebhookConfiguration
or ValidatingWebhookConfiguration
requests is able to redirect kube-apiserver
requests to private networks hosting an API server. If the logging level is 10
, logs will capture responses from such private networks.
Technologies affected
Kubernetes
Vulnerable products and versions
All Kubernetes versions.
Vendor
Kubernetes
Attack vector and severity level per CVSS v.3.0
Severity level: 4.1.
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Recommendations for vulnerability detection and supporting materials
https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY
Safe version of vulnerable product or patch
No patches or safe versions.
Compensatory measures for Yandex Cloud users
https://groups.google.com/g/kubernetes-security-announce/c/RV2IhwcrQsY
Block kube-apiserver
access to resources with sensitive information.
You can also set a value below 10
for the -v
flag or false
for the --profiling
flag (default is true
). Webhook requests will be redirected to private networks but logs will not capture the body of the requests at a logging level below 10
. Users will not be able to modify the kube-apiserver
logging level.
Impact on Yandex Cloud services
No impact. The API serer in Yandex Managed Service for Kubernetes is isolated from the service interface. The server runs under an individual user account that is isolated by a local firewall.
25/08/2022: CVE-2022-2884: Remote Command Execution via GitHub import in GitLab
Updated on 01/09/2022
CVE ID: CVE-2022-2884
Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884
Original report
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
Summary
A vulnerability in GitLab CE/EE allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
Technologies affected
GitLab
Vulnerable products and versions
The following GitLab CE/EE versions are vulnerable:
- Between 11.3.4 and 15.1.5.
- Between 15.2 and 15.2.3.
- Between 15.3 and 15.3.1.
The vulnerability was fixed in versions 15.1.5, 15.2.3, and 15.3.1.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
Severity level: 9.9.
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Recommendations for vulnerability detection and supporting materials
https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
Safe version of the vulnerable product or patch
The vulnerability was fixed in GitLab CE/EE 15.1.5, 15.2.3, and 15.3.1.
Compensatory measures for Yandex Cloud users
Disable import from GitHub to GitLab:
- Log in to your GitLab installation using an administrator account.
- Click Menu → Admin.
- Click Settings → General.
- Expand Visibility and access controls.
- Under Import sources, disable the GitHub option.
- Click Save changes.
Impact on Yandex Cloud services
The vulnerability doesn't affect Yandex Cloud users. GitLab in Managed Service for GitLab and Cloud Marketplace has been updated to a safe version.
04/07/2022: CVE-2022-27228: Vulnerability of "vote" module in CMS 1C-Bitrix
CVE ID: CVE-2022-27228
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-27228
Original report
https://bdu.fstec.ru/vul/2022-01141
https://helpdesk.bitrix24.com/open/15536776/
Brief description
Vulnerability of the "vote" module in the 1C-Bitrix content management system (CMS): website management linked to ability to send special network packets. The exploit may enable a hacker to write arbitrary files remotely to a vulnerable system.
Technologies affected
Bitrix CMS
Vulnerable products and versions
All versions before 21.0.100.
Vendor
1C-Bitrix
Attack vector and severity level per CVSS v.3.0
Severity level: 9,8
Recommendations for vulnerability detection and supporting materials
Requests for /bitrix/tools/composite_data.php
, /bitrix/tools/html_editor_action.php
, /bitrix/admin/index.php
, /bitrix/tools/vote/uf.php
.
Safe version of vulnerable product or patch
Vulnerability resolved in "vote" module version 21.0.100.
https://dev.1c-bitrix.ru/docs/versions.php?lang=ru&module=vote
Compensatory measures for Yandex Cloud users
Additional validation of inputs to the "vote" module including WAF validation.
Impact on Yandex Cloud services
No impact on Yandex Cloud services.
22/06/2022: CVE-2022-1680: GitLab account takover, critical vulnerability
CVE ID: CVE-2022-1680
Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1680
Original report
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
Brief description
When SAML SSO and SCIM are used for a premium GitLab group, any group owner can invite arbitrary users into the group, change those users' email address via SCIM, and take over those users' accounts (unless two-factor authentication is being used).
Technologies affected
Gitlab
Vulnerable products and versions
The following GitLab Enterprise Edition (EE) versions are vulnerable:
- Between 11.10 and 14.9.5.
- Between 14.10 and 14.10.4.
- Between 15.0 and 15.0.1.
In versions 15.0.1, 14.10.4, and 14.9.5, the vulnerability has been eliminated.
Vendor
GitLab Inc.
Attack vector and severity level per CVSS v.3.0
Severity level: 9.9
Recommendations for vulnerability detection and supporting materials
If you are using a custom GitLab installation, check whether group_saml
has been enabled https://docs.gitlab.com/ee/integration/saml.html#configuring-group-saml-on-a-self-managed-gitlab-instance
Safe version of vulnerable product or patch
Vulnerability resolved in versions 15.0.1, 14.10.4, and 14.9.5.
Compensatory measures for Yandex Cloud users
-
Yandex Compute Cloud
GitLab images for Yandex Compute Cloud in Yandex Cloud Marketplace have been updated to a safe version.
Yandex Compute Cloud users with deprecated GitLab images from Yandex Cloud Marketplace or deprecated custom installations may be subject to the vulnerability.
Update to the latest version.
-
Yandex Managed Service for GitLab
For Yandex Managed Service for GitLab users (at the preview stage), the GitLab version has been updated to a safe version.
No additional action on the part of the users is required.
15/06/2022: CVE-2021-25748: Ingress-nginx. Path sanitization bypass
CVE ID: CVE-2021-25748
Link to CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25748
Original report
Brief description
The user can bypass sanitization of the spec.rules[].http.paths[].path
field of an ingress object (in the networking.k8s.io or extensions API group) by using a newline character in the field value to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
Involved technologies
- Kubernetes
- Nginx
Affected products and versions
ingress-nginx < v1.2.1
Vendor
NGINX ingress controller
Attack vector and severity level according to CVSS v.3.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Recommendations for vulnerability detection and supporting materials
Safe version of the vulnerable product or patch
ingress-nginx v1.2.1
Compensatory measures for Yandex Cloud users
If you are using ingress-nginx controller in Yandex Managed Service for Kubernetes or self-hosted Kubernetes and are unable to roll out the fix, use a policy that restricts the spec.rules[].http.paths[].path
field of the networking.k8s.io/Ingress resource to safe characters (see the newly added rules
Impact on Yandex Cloud services
There is no impact on Yandex Cloud services, since the infrastructure does not use ingress-nginx. The alb-ingress controller is used instead.
29/04/2022: CVE-2022-24735, CVE-2022-24736: Redis
Description
CVE-2022-24735
Vulnerability CVE-2022-24735
For a detailed description of the vulnerability, see this article
Vulnerability description: CVE-2022-24735
CVSS score: 3.9 LOW
CVE-2022-24736
Vulnerability CVE-2022-24736
For a detailed description of the vulnerability, see this article
Vulnerability description: CVE-2022-24736
CVSS score: 3.3 LOW
Impact
General impact
All Redis databases prior to version 7.0.0 and 6.2.7 are affected.
Impact on Yandex Cloud services
The Yandex Managed Service for Valkey™ service uses the following Redis versions: 5.0, 6.0, 6.2.
The following measures are being taken to mitigate the vulnerability in Yandex Cloud services:
- All instances of version 6.2 will be upgraded to the updated version 6.2.7. The upgrade will occur following the standard cluster settings.
- For versions 6.0 or 5.0, the vendor has not released updates. Users need to upgrade to version 6.2 themselves in order to get the standard update to version 6.2.7.
Compensatory measures
If you are using Redis version 6.0 or 5.0 as part of Yandex Managed Service for Valkey™, upgrade to version 6.2 as soon as possible.
If you are using your own Redis installation, upgrade to version 6.2.7 or 7.0.0. If an upgrade isn't currently possible, the vendor has released a workaround
06/04/2022: CVE-2022-1162: GitLab Critical Security Release
Description
GitLab has published an overview of a number of vulnerabilities in their article
The vulnerability was discovered internally and assigned the ID CVE-2022-1162. The vulnerability affects both GitLab Community Edition (CE) and Enterprise Edition (EE):
- All versions through 14.7.7.
- All versions from 14.8 through 14.8.5.
- All versions from 14.9 through 14.9.2.
The vulnerability results from hardcoded passwords being set inadvertently during OmniAuth-based registration in GitLab CC/EE.
This is an unscheduled release which is also the March monthly release.
GitLab has prepared a script
Impact on Yandex Cloud services
Yandex Compute Cloud
A GitLab image for Yandex Compute Cloud in Yandex Cloud Marketplace was updated to the latest version.
Potentially, the vulnerability affects all Yandex Compute Cloud users utilizing deprecated GitLab images from Yandex Cloud Marketplace or deprecated custom images. These users must reinstall their systems using an updated Marketplace image or update their GitLab to the most recent version.
Yandex Cloud sent out notifications to all users with a deprecated GitLab image.
Yandex Managed Service for GitLab
For anyone using Yandex Managed Service for GitLab in test mode in a Yandex Cloud cloud, we have already updated the existing and future instances to the latest version.
Yandex Cloud sent out notifications to all Yandex Managed Service for GitLab users.
Compensatory measures
Potentially, the vulnerability affects all users using deprecated custom GitLab images. These users need to upgrade their GitLab version to the latest one.
18/03/2022: CVE-2022-0811: cr8escape
Description
CrowdStrike security researchers discovered a new vulnerability in the CRI-O container engine that can be used in Kubernetes. It can be exploited by an attacker with rights to deploy a pod to escape a container, gain root privileges, and move anywhere in the cluster.
The issue is that, starting from CRI-O 1.19, the sysctl system parameters can be overridden, for example, by abusing kernel.core_pattern to escape a container.
Original report: article
Vulnerability description: CVE-2022-0811
Impact on Yandex Cloud services
There is no impact, since CRI-O is not used in Managed Service for Kubernetes.
Compensatory measures
If you're using Kubernetes as a custom bare metal installation rather than within Managed Service for Kubernetes:
-
Update the CRI-O to version 1.23.2.
-
If there is no patch with updates for your OS, roll back the CRI-O version to 1.18 or lower.
-
If you can't change the CRI-O version:
- Apply the policy that disallows"+" or "=" in sysctl values.
- PodSecurityPolicy forbiddenSysctls
to forbid any sysctl.
09/03/2022: CVE-2022-0847: Dirty Pipe
Updated on 17/03/2022
Description
The vulnerability has been discovered in Linux. The vulnerability allows data to be overwritten in read-only official files.
The vulnerability is relevant for kernel versions from 5.8.
The vulnerability was fixed in versions 5.16.11, 5.15.25 and 5.10.102.
Original report: article
Vulnerability description: CVE-2022-0847
Impact on Yandex Cloud services
The vulnerability does not affect the Yandex Cloud services, as the infrastructure uses kernel versions that are different from those affected by the vulnerability.
Several VM images from Cloud Marketplace were affected:
- ubuntu-20-04-lts-gpu
- ubuntu-20-04-lts-gpu-a100
Compensatory measures
The affected VM images have been removed from Cloud Marketplace and replaced with updated images.
If you are using a VM image that is affected by the vulnerability, update according to the official documentation.
Example for Ubuntu: https://ubuntu.com/security/notices/USN-5317-1.
28/02/2022: CVE-2022-0735 (token disclosure), CVE-2022-0549, CVE-2022-0751, CVE-2022-0741, CVE-2021-4191, CVE-2022-0738, CVE-2022-0489: Multiple GitLab vulnerabilities
Description
GitLab Inc. published an overview of a number of vulnerabilities in their article
CVE-2022-0735
The most severe vulnerability is CVE-2022-0735
It affects the following versions:
- All versions from 12.10 to 14.6.5 inclusive.
- All versions from 14.7 to 14.7.4 inclusive.
- All versions from 14.8 to 14.8.2 inclusive.
Other vulnerabilities are less critical.
CVE-2022-0549
CVE-2022-0549 "Unprivileged users can add other users to groups through an API endpoint" is a medium severity issue.
It affects the following versions:
- All versions from 14.4 to 14.4.4 inclusive.
- All versions from 14.5 to 14.5.2 inclusive.
CVE-2022-0751
CVE-2022-0751 "Inaccurate display of Snippet contents can be potentially misleading to users" is a medium severity issue.
CVE-2022-0741
CVE-2022-0741 "Environment variables can be leaked via the sendmail delivery method" is a medium severity issue.
CVE-2021-4191
CVE-2021-4191 "Unauthenticated user enumeration on GraphQL API" is a medium severity issue and applies to all versions from 14.4 to 14.8 inclusive.
CVE-2022-0738
CVE-2022-0738 "Adding a pull mirror with SSH credentials can leak password" is a medium severity issue.
It affects the following versions:
- All versions from 14.6 to 14.6.5 inclusive.
- All versions from 14.7 to 14.7.4 inclusive.
- All versions from 14.8 to 14.8.2 inclusive.
CVE-2022-0489
CVE-2022-0489 "Denial of Service via user comments" is a minor severity issue and can affect all new versions starting from 8.15.
Links
For more information about vulnerabilities, see the original GitLab report
Description of vulnerabilities:
Impact on Yandex Cloud services
Yandex Compute Cloud
A GitLab image for Yandex Compute Cloud in Yandex Cloud Marketplace was updated to the latest version.
All Yandex Compute Cloud users who have used GitLab images from Cloud Marketplace or their own images are potentially vulnerable. These users need to reinstall the system from the current Cloud Marketplace image or upgrade their GitLab version to the latest one by following the official instructions
If you can't upgrade the GitLab version, take compensatory measures.
Notifications with update recommendations were sent to all users who are using a deprecated GitLab image from Cloud Marketplace.
Yandex Managed Service for GitLab
For users of Managed Service for GitLab, which is now being tested in Yandex Cloud, we already updated current and upcoming instances to the latest version.
All Yandex Managed Service for GitLab users have been sent notification.
Compensatory measures
If you can't update now, you can temporarily fix the vulnerability using the hotpatch
28/01/2022: CVE-2022-0185: Heap overflow bug in legacy_parse_param
Description
Vulnerability CVE-2022-0185
For a detailed description of the vulnerability, see this article
Vulnerability description: CVE-2022-0185
CVSS score: 7.8.
Impact
General impact
This vulnerability affects Linux Kernel systems around the world that run kernel versions 5.1-rc1 to 5.16.
Impact on Yandex Cloud services
Yandex Cloud updated its services:
- Yandex Cloud Marketplace.
- Yandex Cloud internal infrastructure.
We are preparing updates for Yandex Managed Service for Kubernetes.
Compensatory measures
If you are using a cloud node group in Yandex Managed Service for Kubernetes, wait for the official update for the service and apply it. Alternatively, update the OS
You can also take the compensatory measures:
- Use a daemonset fix
for this vulnerability from yc-solution-library-for-security. It sets the settings according to Ubuntu recommendations. - Follow the official update or vulnerability compensation guidelines for your Linux distribution. For example, set
sysctl -w kernel.unprivileged_userns_clone=0
for Ubuntu. - Use seccomp in Kubernetes as described in this article
. - Do not assign redundant capabilities and use the k8s security section from our checklist for monitoring them.
28/01/2022: CVE-2021-4034: Polkit's pkexec
Description
Vulnerability CVE-2021-4034
For a detailed description of the vulnerability, see this article
Vulnerability description: CVE-2021-4034
CVSS score: 7.8.
Impact
General impact
The vulnerability affects all the Unix-like operating systems running any policykit-1 (0.105) version lower than specified in the article. See here for Ubuntu
Impact on Yandex Cloud services
Yandex Cloud updated its services:
- Yandex Cloud Marketplace.
- Yandex Cloud internal infrastructure.
We are preparing updates for Yandex Managed Service for Kubernetes.
Compensatory measures
If you are using a cloud-based node group in Yandex Managed Service for Kubernetes, wait for the official update for the service and apply it. Alternatively, update the OS
You can also take the compensatory measures:
-
Use a daemonset fix
for this vulnerability from yc-solution-library-for-security. It sets the settings according to Ubuntu recommendations. -
Follow the official update or vulnerability compensation guidelines for images from Yandex Cloud Marketplace or your own images in Yandex Compute Cloud. For example, set access rights for Ubuntu:
chmod 0755 /usr/bin/pkexec
.
29/12/2021: CVE-2021-45105, CVE-2021-44832: Denial of service and remote code execution (Log4j)
Description
Vulnerability CVE-2021-45105 is found in Apache Log4j versions 2.0-alpha through 2.16.0, excluding 2.12.3. The versions do not protect from uncontrolled recursion from self-referential lookups. This may result in a StackOverflowError and a DoS attack.
Vulnerability CVE-2021-44832 is found in Apache Log4j versions 2.0-beta7 through 2.17.0, excluding security fix releases 2.3.2 and 2.12.4. The versions are vulnerable to a remote code execution (RCE) attack where an attacker has permission to modify the logging configuration file.
Original report from logging.apache.org
Vulnerability description: CVE-2021-45105
CVSS rating:
- CVE-2021-45105 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2021-44832 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Impact
General impact
The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, and others.
For a complete list of software affected by the vulnerability, see:
- https://github.com/NCSC-NL/log4shell/tree/main/software
- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Impact on Yandex Cloud services
Vulnerable versions of the library are not used in Yandex Cloud services.
Compensatory measures
If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.
Log4j 1.x
Log4j 1.x is not affected by the vulnerability.
Log4j 2.x
- Java 6: Upgrade to Log4j 2.3.2.
- Java 7: Upgrade to Log4j 2.12.4.
- Java 8 (and later): Upgrade to Log4j 2.17.1.
- If you cannot upgrade the library now, make sure that the JDBC Appender is not configured to use any protocol other than Java.
Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not affected by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject impacted by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this vulnerability.
Source: https://logging.apache.org/log4j/2.x/security.html
You can also use the following tools to scan your infrastructure for the log4j vulnerability:
- https://github.com/google/log4jscanner
- https://github.com/bi-zone/Log4j_Detector
17/12/2021: CVE-2021-45046: Remote code execution (Log4j)
Description
Vulnerability CVE-2021-45046
It was found that the fix to address the CVE-2021-44228
A detailed description of the exploit and this behavior is provided in a Lunasec article
Original report from logging.apache.org
Vulnerability description: CVE-2021-45046
CVSSv3.1 rating: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Impact
General impact
The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, and others.
For a complete list of software affected by the vulnerability, see:
- https://github.com/NCSC-NL/log4shell/tree/main/software
- https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Impact on Yandex Cloud services
Services that used the Yandex Managed Service for Elasticsearch library, Yandex Data Processing, and a number of basic platform services were successfully updated.
Yandex Cloud has collected information on users that have utilized these services. Appropriate alerts have gone out.
Compensatory measures
If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.
Log4j 1.x
Log4j 1.x is not affected by the vulnerability.
Log4j 2.x
- Java 8 (and later): Upgrade to Log4j 2.16.0.
- Java 7: Upgrade to Log4j 2.12.2.
- If you cannot upgrade the library now, remove the
JndiLookup
class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
.
Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Note that only the log4j-core JAR
file is affected by this vulnerability. Applications using only the log4j-api JAR
file without the log4j-core JAR
file are not affected by this.
Source: https://logging.apache.org/log4j/2.x/security.html
10/12/2021: CVE-2021-44228: Remote code execution (Log4Shell, Apache Log4j)
Updated on 22.12.2021
Description
Vulnerability CVE-2021-44228
A zero-day exploit was discovered that results in remote code execution (RCE) by having a certain line entered into a log.
An attacker that can control log messages or log message parameters can execute arbitrary code downloaded from LDAP servers when the message lookup substitution
feature is active. Starting with log4j version 2.15.0, this behavior is disabled by default.
A detailed description of the exploit and this behavior is provided in a Lunasec article
Original report from logging.apache.org: Fixed in Log4j 2.15.0
Vulnerability description: CVE-2021-44228
CVSSv3.1 rating: 10.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Learn more at: https://www.securitylab.ru/vulnerability/527362.php
Impact
General impact
-
The Log4j library is included in almost all Apache Software Foundation enterprise solutions, such as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Kafka, Apache Dubbo, and others.
-
The vulnerability affects such open-source products as ElasticSearch, Elastic Logstash, the NSA’s Ghidra, etc.
-
Hystax products are vulnerable because they use a vulnerable version of Elasticsearch Logstash.
Hystax is working on new product releases to address the vulnerability.
Impact on Yandex Cloud services
Services that used the Yandex Managed Service for Elasticsearch library, Yandex Data Processing, and a number of basic platform services were successfully updated.
Yandex Cloud has collected information on users that have utilized these services. Appropriate alerts have gone out.
Compensatory measures
If your infrastructure uses this library or the products listed in the "General Impact" section, follow the steps below.
Log4j 1.x
Since Log4j 1.x does not support Lookups
Applications using Log4j 1.x are only vulnerable to this attack when they use JNDIJMSAppender
configured.
Log4j 2.x
- Java 8 (and later): Upgrade to Log4j 2.16.0.
- Java 7: Upgrade to release Log4j 2.12.2 as soon as it is available.
- If you cannot upgrade the library now, remove the
JndiLookup
class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
.
Note that only the log4j-core JAR
file is affected by this vulnerability. Applications using only the log4j-api JAR
file without the log4j-core JAR
file are not affected by this.
Source: https://logging.apache.org/log4j/2.x/security.html
Hystax
Hystax Acura Controller: allow ingress traffic for UDP port 12201 only for a list of source IP ranges with replication agents deployed.
If you placed Hystax Acura Controller behind a network load balancer in your infrastructure, apply the above firewall rule to the respective load balancer.
12/11/2021: CVE-2021-22205: Remote code execution via a vulnerability in GitLab
Description
In GitLab versions starting 11.9, a security issue
The vulnerability is caused by not properly validating uploaded image files by an external file parser using the ExifTool library (CVE-2021-22204
The issue is fixed in GitLab versions 13.10.3, 13.9.6, and 13.8.8.
Impact on Yandex Cloud services
A GitLab image in Yandex Cloud Marketplace was updated to the latest version.
Notifications with update recommendations were sent to all users using a deprecated GitLab image.
Yandex Managed Service for GitLab users were not affected by the vulnerability, since the service uses the current GitLab version.
Compensatory measures
If you are using a deprecated GitLab image from Yandex Cloud Marketplace or a custom image, update
More information
- Action needed by self-managed customers in response to CVE-2021-22205
- GitLab CE CVE-2021-22205 in the wild
12/10/2021: CVE-2021-25741: Risk of accessing a host's filesystem
Description
A security issue
Impact on Yandex Cloud services
Yandex Managed Service for Kubernetes does not provide anonymous cluster access and is not affected by the vulnerability from an external attacker.
Compensatory measures
To remove the attack vector from an internal attacker, update all existing service clusters and node groups to version 1.19 or higher. If your clusters and node groups are already updated to version 1.19 or higher, update the revisions. An update that fixes the bug is available in all release channels.
We also recommend that you:
- Automatically update your clusters and node groups to the latest versions or revisions.
- Schedule manual updates at least once a month if you cannot apply automatic updates.
- Disable running pods as root for untrusted uploads.
To do this, you can use the following tools:
More information
A checklist for a secure Kubernetes configuration is available here.
03/03/2021: CVE-2021-21309: Remote code execution via a vulnerability in Valkey™
Description
In 32-bit Valkey™ versions 4.0 and higher, an integer overflow vulnerability was discovered, which, under certain conditions, may lead to a remote code execution.
Impact on Yandex Cloud services
Yandex Managed Service for Valkey™ uses 64-bit Valkey™ instances and is not affected by the vulnerability.
26/01/2021: CVE-2021-3156: Privilege escalation through vulnerabilities in sudo.
Description
A number of CVE-2021-3156sudo
. They allow attackers to execute privilege escalation to root
.
Impact on Yandex Cloud services
The following Linux OS images were updated:
- All images from the Yandex Cloud publisher available in Cloud Marketplace.
- A Container Optimized Image.
- An image that is used to create Managed Service for Kubernetes nodes.
- Images that are used to create managed database clusters.
- An image that is used to create Yandex Data Processing clusters.
More information
- Buffer overflow in command line unescaping
- CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
24/12/2020: CVE-2020-25695: Privilege escalation in PostgreSQL
Description
The CVE-2020-25695
Impact on Yandex Cloud services
All PostgreSQL instances used in Yandex Managed Service for PostgreSQL were updated
19/11/2020: Discontinue support for deprecated TLS protocols
Description
To make data transmission more secure, Yandex Cloud recommends that all users switch to technologies that provide encryption via TLS 1.2
Impact on Yandex Cloud services
All Yandex Cloud services support TLS 1.2 and higher. Legacy protocols will gradually be discontinued. We recommend that you upgrade your applications to the latest TLS versions in advance.
20/09/2020: CVE-2020-1472 (aka Zerologon)
Description
A Windows Netlogon Remote Protocol vulnerability that allows an unauthenticated attacker with network access permissions to a domain controller to compromise all Active Directory identification services.
Original report from Secura: Zerologon
Vulnerability description by Microsoft: CVE-2020-1472
Change management guide from Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
Impact on Yandex Cloud services
OS images available to Yandex Compute Cloud users already contain updates that fix the vulnerability. All VMs created in Yandex Compute Cloud after the issue was reported are protected against the described attack.
Compensatory measures
In addition to the updates, to restrict access to your domain controller from untrusted networks, use the following network access control systems:
- Windows Firewall or security groups.
- Moving the domain controller behind a NAT gateway.
15/06/2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)
Description
On certain Intel CPU models, VUSec detected a new attack
Intel's report: Deep Dive: Special Register Buffer Data Sampling
Impact on Yandex Cloud services
Yandex Cloud uses CPU models that are not vulnerable to CrossTalk attacks.
28.08.2019: TCP SACK
Description
Netflix experts found three vulnerabilities in the Linux kernel:
Original report from Netflix: NFLX-2019-001
Vulnerability analysis from Red Hat: TCP SACK PANIC
Impact on Yandex Cloud services
- The Yandex Cloud infrastructure was promptly protected and updated.
- The OS images available to Yandex Compute Cloud users were updated as soon as the appropriate fixes became available. Therefore, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.
19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List
Description
List of domains included in Public Suffix List:
- yandexcloud.net
- storage.yandexcloud.net
- website.yandexcloud.net
Domains in the Public Suffix List get the properties of top-level domains, such as .ru or .com:
- Browsers will not save the cookies set for the listed domains.
- Browsers will not allow you to change the page's
Origin
request headers to root domains.
Impact on Yandex Cloud services
These changes will improve the security for Yandex Cloud users.