We are pleased to announce two new patch releases for CFEngine, version 3.18.4 and 3.21.1! These releases only contain security fixes for our recently discovered vulnerability; CVE-2023-26560.
Changelogs As always, you can see a full list of changes and improvements in our changelogs:
3.18.4 Changelog for CFEngine Community 3.18.4 Changelog for CFEngine Enterprise 3.18.4 Changelog for Masterfiles Policy Framework 3.21.1 Changelog for CFEngine Community 3.21.1 Changelog for CFEngine Enterprise 3.21.1 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team.
Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried. Within SQL queries (in PostgreSQL) you can use functions like pg_read_binary_file to access files on the file system. This issue is limited to scheduled reports, due to the different context where those queries are run.
Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.
Can you trust the integrity of your base operating system runtime?
Jason Rogers and Dr. Wesley Peck of Invary join Cody, Craig and Nick to chat about their Runtime Integrity technology. They discuss the challenges of Trust, Information Technology Knowledge Management, and how Invary fits in the SecOps, Systems Automation, Security and Compliance landscape. Nick shares an example of an early integration between CFEngine and the Invary RISe agent1 with reporting in Mission Portal and talks about the different ways to approach integration.
Opening and reading files may cause your program to block indefinitely. In this blogpost we'll discuss how to work around this issue.
In February, our team attended both FOSDEM and CfgMgmtCamp (Configuration Management Camp) in Belgium. At CfgMgmtCamp we held several talks, and we'll upload some of the recordings.
Have a burning desire to run sshd or another service on your VR headset?
Cody, Craig and Nick do time-boxed live hackathon working on developing CFEngine services promise type support for Termux. Watch Nick and Craig race to implement basic services support before the timer buzzes.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Using CFEngine there are many ways to group and classify your hosts. In order to group their hosts, our users use a combination of JSON files, CFEngine policy language (with variables, classes, and class expressions), host specific data and host filters in Mission Portal. With these features you can choose which hosts to show in reports, and you can make decisions on what changes to make on which hosts. There is, however, no straight forward way for a Mission Portal user to save a selection of hosts (a filter) and then start doing things (reports, changes) with those hosts.
What’s the best way to collect information when troubleshooting something with CFEngine?
Cody and Nick chat with Craig about cf-support a new tool shipping in the latest (and future) versions of CFEngine.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
I have stopped using my Linux distro’s package manager, and you should, too. Maybe I should clarify that. I don’t install software with my distro’s package manager any more. I still upgrade my system.
I became influenced by a few different factors. Top among these is something required in certain industries called a change advisory board or committee. This requirement says that changes to production computers have to be reviewed and approved by all stakeholders in that computer’s operations.
