LAB-linuxserver/cstate
1
0
Fork 0
mirror of https://github.com/linuxserver/cstate.git synced 2026-02-20 07:55:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
cstate/affected/vulnerabilities/index.xml

45 lines
9.4 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><link rel="alternate" type="text/html" href="https://info.linuxserver.io"/><title>Vulnerabilities on Info :: LinuxServer.io</title><link>https://info.linuxserver.io/affected/vulnerabilities/</link><description>History</description><generator>github.com/cstate</generator><language>en</language><lastBuildDate>2024-03-29T22:00:00+00:00</lastBuildDate><updated>2024-03-29T22:00:00+00:00</updated><atom:link href="https://info.linuxserver.io/affected/vulnerabilities/index.xml" rel="self" type="application/rss+xml"/><item><title>[Resolved] Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils</title><link>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</link><pubDate>Fri, 29 Mar 2024 22:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2024-03-29-cve-2024-3094/</guid><category>2024-04-10 22:00:00Z</category><description>Update - 2024-04-10 At this point we are comfortable that there was and is no risk to any of our images as a result of the XZ backdoor and are considering the issue resolved.
Update - 2024-03-30 Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.</description><content type="html">&lt;h3 id="update---2024-04-10">Update - 2024-04-10&lt;/h3>
&lt;p>At this point we are comfortable that there was and is no risk to any of our images as a result of the XZ backdoor and are considering the issue resolved.&lt;/p>
&lt;h3 id="update---2024-03-30">Update - 2024-03-30&lt;/h3>
&lt;p>Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to &amp;ldquo;may allow unauthorized access to affected systems&amp;rdquo;.&lt;/p>
&lt;p>As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.&lt;/p>
&lt;h3 id="original-post">Original Post&lt;/h3>
&lt;p>A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under &lt;a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094">CVE-2024-3094&lt;/a>, which could allow remote code execution under certain circumstances. The original report is available &lt;a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">here&lt;/a> if you are interested in the technical details.&lt;/p>
&lt;p>We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:&lt;/p>
&lt;ul>
&lt;li>Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.&lt;/li>
&lt;li>Our Arch base image did contain an affected version of XZ Utils, and we have now pushed an updated build that includes a fixed version of the XZ package.&lt;/li>
&lt;li>Our Alpine Edge base image did contain an affected version of XZ Utils, but did not appear to be vulnerable due to the exploit&amp;rsquo;s dependency on glibc, and we have now pushed an updated build that includes a fixed version of the XZ package.&lt;/li>
&lt;li>Our other Alpine base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.&lt;/li>
&lt;/ul>
&lt;p>So far the only exploitation path that has been observed is via SSH, and so in the vast majority of cases could not be exploited in any of our container environments, but we always recommend that you ensure any internet-facing containers are properly secured and kept up to date.&lt;/p>
&lt;p>We will update this post as and when more information becomes available.&lt;/p></content></item><item><title>[Resolved] log4j Vulnerability</title><link>https://info.linuxserver.io/issues/2021-12-13-log4j/</link><pubDate>Mon, 13 Dec 2021 15:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2021-12-13-log4j/</guid><category>2022-02-18 18:00:00Z</category><description>Update At this time we have determined that all application/container updates or mitigations that we can reasonably provide have been actioned and as such are marking this issue as resolved.
Original Post Multiple vulnerabilities (CVE-2021-44228 and CVE-2021-45046) have been discovered in log4j which can lead to denial of service and remote code execution. The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 or CVE-2021-45046 due to existing mitigations, upstream patches, or workarounds applied to the container images.</description><content type="html">&lt;h3 id="update">Update&lt;/h3>
&lt;p>At this time we have determined that all application/container updates or mitigations that we can reasonably provide have been actioned and as such are marking this issue as resolved.&lt;/p>
&lt;h3 id="original-post">Original Post&lt;/h3>
&lt;p>Multiple vulnerabilities (&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228&lt;/a> and &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046&lt;/a>) have been discovered in log4j which can lead to denial of service and remote code execution. The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 &lt;em>or&lt;/em> CVE-2021-45046 due to existing mitigations, upstream patches, or workarounds applied to the container images.&lt;/p>
&lt;p>&lt;strong>Please note these lists apply to the stated version tags and later &lt;em>only&lt;/em>. If you are running older versions of the images they may still be vulnerable.&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-fleet">Fleet&lt;/a> - &lt;code>version-2.3.2&lt;/code> and later (Workaround applied + upstream fix)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-airsonic">Airsonic&lt;/a> (No log4j-core in use)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-habridge">HABridge&lt;/a> (No log4j-core in use)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-unifi-controller">Unifi Controller&lt;/a> - &lt;code>version-6.5.55&lt;/code> and later (Workaround applied + upstream fix)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-davos">Davos&lt;/a> &lt;code>version-2.2.2&lt;/code> and later (Upstream fix)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-booksonic-air/">Booksonic Air&lt;/a> - &lt;code>version-v2112.2.0&lt;/code> and later (Upstream fix)&lt;/li>
&lt;/ul>
&lt;p>The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 due to existing mitigations, upstream patches, or workarounds applied to the container images, but may still be vulnerable to CVE-2021-45046.&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-unifi-controller">Unifi Controller&lt;/a> - &lt;code>version-6.5.54&lt;/code> and later (Workaround applied + upstream fix)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-booksonic-air/">Booksonic Air&lt;/a> - &lt;code>version-v2112.1.0&lt;/code> and later (Upstream fix)&lt;/li>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-nzbhydra2">nzbhydra2&lt;/a> - &lt;code>version-v3.18.4&lt;/code> and later (Upstream fix)&lt;/li>
&lt;/ul>
&lt;p>The following Linuxserver containers are known to be using a vulnerable version of log4j in their current versions and cannot be mitigated by us. This does not mean they are definitely exploitable, but they may be, especially if exposed to the internet.&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-booksonic">Booksonic&lt;/a> (Deprecated)&lt;/li>
&lt;/ul>
&lt;p>The following Linuxserver containers are unconfirmed as to their vulnerability status, but are Java-based and so may be using log4j in some capacity.&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://github.com/linuxserver/docker-ubooquity">Ubooquity&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>We will update this post as more information becomes available.&lt;/p></content></item><item><title>[Resolved] Authelia Vulnerability</title><link>https://info.linuxserver.io/issues/2021-05-30-authelia/</link><pubDate>Sun, 30 May 2021 00:00:00 +0000</pubDate><guid>https://info.linuxserver.io/issues/2021-05-30-authelia/</guid><category>2021-05-30</category><description>A vulnerability has been discovered in Authelia versions prior to 4.29.3 when used with nginx which can result in an authentication bypass. To ensure you are protected please upgrade to at least Authelia version 4.29.3 and/or Swag version 1.15.0-ls63.</description><content type="html">&lt;p>A &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2021-32637">vulnerability&lt;/a> has been discovered in Authelia versions prior to 4.29.3 when used with nginx which can result in an authentication bypass. To ensure you are protected please upgrade to at least Authelia version 4.29.3 and/or Swag version 1.15.0-ls63.&lt;/p></content></item></channel></rss>
Reference in New Issue View Git Blame Copy Permalink