Show posts tagged:

CVE-2023-45684 - Mission Portal SQL injection vulnerability

We want to bring to your attention a critical security matter recently identified in CFEngine Enterprise version 3.6.0 and subsequent releases. This vulnerability pertains to a A03:2021 - Injection flaw within the CFEngine Enterprise web UI, Mission Portal, which can lead to unauthorized access to the underlying database. The CVE identifier CVE-2023-45684 has been assigned to this issue. At present, there is no evidence to suggest that this vulnerability has been exploited or that it was known beyond the CFEngine development team and the customer who brought it to our attention.

Posted by Lars Erik Wik
November 13, 2023

CVE-2023-26560 - Unauthorized access to system files through scheduled reports

We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team. Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried.

April 24, 2023

November 2022: Severe vulnerabilities in OpenSSL 3

On October 25th 2022 the OpenSSL project team announced 1 the forthcoming release of OpenSSL version 3.0.7. From the announcement we know that a fix will be made available on Tuesday November 1st, 2022 for a CRITICAL security issue. Note: CVE-2022-3786 and CVE-2022-3602 (X.509 Email Address Buffer Overflows) have been published 2. CVE-2022-3602 originally assessed as CRITICAL was downgraded to HIGH after further review prior to being published. Affected versions The vulnerability is reported to affect version 3.

Posted by Nick Anderson
November 1, 2022

CVE-2021-44215 & CVE-2021-44216 - Log file permissions

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product, specifically in the hub package: CVE-2021-44215 - PostgreSQL log file world readable. CVE-2021-44216 - Apache and Mission Portal Application log files world readable. CVE-2021-44215 is a regression affecting currently supported versions 3.18.0 and 3.15.4 as well as some unsupported versions. CVE-2021-44216 affects all supported versions prior to 3.18.1 and 3.15.5 as well as some unsupported versions.

Posted by Nick Anderson
March 3, 2022

CVE-2021-38379 & CVE-2021-36756 - Exported report permissions and certificate checking in Federated Reporting

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product: CVE-2021-38379 - Publicly available exported reports CVE-2021-36756 - Certificate not checked in Federated Reporting While the latter one (CVE-2021-36756) only affects CFEngine Enterprise deployments using the Federated Reporting functionality, the former one (CVE-2021-38379) affects all deployments running all supported versions of CFEngine Enterprise (and many unsupported versions, 3.5 or newer, to be more precise). Both issues were discovered internally during development and testing and we have no indications of these vulnerabilities being exploited or known of outside of the development team.

October 27, 2021

CVE-2019-19394 - Mission Portal JavaScript injection vulnerability

A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub.

April 16, 2020

Upgrading from CFEngine 2 to 3: running the 2 agents side by side with 3

CFEngine 2 network communication is insecure by today’s standards. CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA.

January 28, 2020

Updated Windows packages

Recently a security flaw, CVE-2019-1552, has been discovered in OpenSSL. This vulnerability affects the Windows Enterprise agent packages. To mitigate this security vulnerability we have rebuilt CFEngine with the fix to this issue. These packages have been re-released with the version number CFEngine 3.12.2-4. As always, you can download CFEngine Enterprise packages from the download page, Note that only the affected packages have been re-released. CFEngine Community wasn’t affected at all, due to lack of affected feature, Upgrade today, and make your automation even more secure!

August 26, 2019

CFEngine 3.12.2-3, 3.14.0-2 released (mitigating PostgreSQL CVE-2019-10164)

On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164. PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. CFEngine Enterprise LTS versions 3.

Posted by Nick Anderson
August 6, 2019

CVE-2019-9929 - Internal authentication secrets leaked in logs

Description The CFEngine engineering team has recently discovered a severe security issue in the CFEngine Enterprise product. CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks. These internal secrets are randomly generated during the installation process and stored in files which only the root user has access to. Unfortunately, the commands that generate and store the secrets were being logged to the /var/log/CFEngineHub-Install.

May 28, 2019