A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
{"osv": [{"lastseen": "2022-05-12T01:15:44", "description": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.7}, "published": "2021-05-18T18:28:59", "type": "osv", "title": "Hard coded cryptographic key in Kiali", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2021-05-06T21:51:32", "id": "OSV:GHSA-64RH-R86Q-75FF", "href": "https://osv.dev/vulnerability/GHSA-64rh-r86q-75ff", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T11:52:34", "description": "github.com/kiali/kiali is vulnerable to authentication bypass. The default signing key for JWT cookies is known in the source, allowing an attacker to forge credentials and use it to gain access to the application.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2020-03-31T03:59:09", "type": "veracode", "title": "Authentication Bypass", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2020-06-29T07:55:58", "id": "VERACODE:22830", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22830/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2023-08-04T12:28:04", "description": "Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* kiali: JWT cookie uses default signing key (CVE-2020-1764)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2020-03-25T22:35:34", "type": "redhat", "title": "(RHSA-2020:0975) Moderate: Red Hat OpenShift Service Mesh 1.0.10 openshift-istio-kiali-rhel7-operator-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2020-03-25T22:36:12", "id": "RHSA-2020:0975", "href": "https://access.redhat.com/errata/RHSA-2020:0975", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-06-06T15:08:38", "description": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.\n#### Mitigation\n\nThe Kiali configuration can be manually updated for ServiceMesh so that the default signing_key cannot be easily determined: \n\n\noc get kiali -n $(oc get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\\n login_token:\\n signing_key: $(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)/" | oc apply -f - \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2020-03-25T22:01:26", "type": "redhatcve", "title": "CVE-2020-1764", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2023-04-06T06:38:18", "id": "RH:CVE-2020-1764", "href": "https://access.redhat.com/security/cve/cve-2020-1764", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-06T14:31:26", "description": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2020-03-26T13:15:00", "type": "cve", "title": "CVE-2020-1764", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2020-05-28T17:21:00", "cpe": ["cpe:/a:redhat:openshift_service_mesh:1.0"], "id": "CVE-2020-1764", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1764", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2022-03-23T17:15:27", "description": "# CVE-2020-1764 PoC\n\nAuth bypass PoC for Kiali 0.4.0 to 1.15.0 u...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2020-07-06T13:59:52", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Kiali", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1764"], "modified": "2020-09-21T13:51:22", "id": "9628BC6F-67B8-5D43-9375-C976FF38610B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-09-10T16:46:44", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5765 advisory.\n\n - In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.\n The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. (CVE-2020-11080)\n\n - An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container teardown, a malicious guest can trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host DoS. (CVE-2020-2024)\n\n - Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests. (CVE-2020-2025)\n\n - A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and earlier versions. (CVE-2020-2026)\n\n - The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod.\n If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail. (CVE-2020-8557)\n\n - A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration. (CVE-2020-1764)\n\n - The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. (CVE-2020-8559)\n\n - Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service. (CVE-2020-10739)\n\n - In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0. (CVE-2020-15104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-09-07T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne (ELSA-2020-5765)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10739", "CVE-2020-11080", "CVE-2020-15104", "CVE-2020-1764", "CVE-2020-2024", "CVE-2020-2025", "CVE-2020-2026", "CVE-2020-8557", "CVE-2020-8559"], "modified": "2023-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:olcne-agent", "p-cpe:/a:oracle:linux:olcne-api-server", "p-cpe:/a:oracle:linux:olcne-nginx", "p-cpe:/a:oracle:linux:olcne-utils", "p-cpe:/a:oracle:linux:olcnectl", "p-cpe:/a:oracle:linux:kubeadm", "p-cpe:/a:oracle:linux:kubectl", "p-cpe:/a:oracle:linux:kubelet", "p-cpe:/a:oracle:linux:istio", "p-cpe:/a:oracle:linux:istio-citadel", "p-cpe:/a:oracle:linux:istio-galley", "p-cpe:/a:oracle:linux:istio-istioctl", "p-cpe:/a:oracle:linux:istio-mixc", "p-cpe:/a:oracle:linux:istio-mixs", "p-cpe:/a:oracle:linux:istio-node-agent", "p-cpe:/a:oracle:linux:istio-pilot-agent", "p-cpe:/a:oracle:linux:istio-pilot-discovery", "p-cpe:/a:oracle:linux:istio-proxy-init", "p-cpe:/a:oracle:linux:istio-sidecar-injector", "p-cpe:/a:oracle:linux:kata", "p-cpe:/a:oracle:linux:kata-image", "p-cpe:/a:oracle:linux:kata-runtime", "p-cpe:/a:oracle:linux:olcne-istio-chart", "p-cpe:/a:oracle:linux:olcne-prometheus-chart", "p-cpe:/a:oracle:linux:kernel-uek-container"], "id": "ORACLELINUX_ELSA-2020-5765.NASL", "href": "https://www.tenable.com/plugins/nessus/180974", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-5765.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(180974);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/08\");\n\n script_cve_id(\n \"CVE-2020-1764\",\n \"CVE-2020-2024\",\n \"CVE-2020-2025\",\n \"CVE-2020-2026\",\n \"CVE-2020-8557\",\n \"CVE-2020-8559\",\n \"CVE-2020-10739\",\n \"CVE-2020-11080\",\n \"CVE-2020-15104\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Oracle Linux 7 : Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne (ELSA-2020-5765)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-5765 advisory.\n\n - In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.\n The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of\n 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at\n 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement\n nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of\n settings entries are large (e.g., > 32), then drop the connection. (CVE-2020-11080)\n\n - An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container\n teardown, a malicious guest can trick the kata-runtime into unmounting any mount point on the host and all\n mount points underneath it, potentiality resulting in a host DoS. (CVE-2020-2024)\n\n - Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying\n image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent\n guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect\n QEMU and Firecracker based guests. (CVE-2020-2025)\n\n - A malicious guest compromised before a container creation (e.g. a malicious guest image or a guest running\n multiple containers) can trick the kata runtime into mounting the untrusted container filesystem on any\n host path, potentially allowing for code execution on the host. This issue affects: Kata Containers 1.11\n versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; Kata Containers 1.9 and\n earlier versions. (CVE-2020-2026)\n\n - The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account\n for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by\n kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod.\n If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node\n and cause the node to fail. (CVE-2020-8557)\n\n - A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all\n versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens\n and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio\n configuration. (CVE-2020-1764)\n\n - The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6\n are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to\n escalate privileges from a node compromise to a full cluster compromise. (CVE-2020-8559)\n\n - Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry\n v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception\n resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a\n null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a\n null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default\n in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy\n sidecar, triggering a denial of service. (CVE-2020-10739)\n\n - In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would\n incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with\n a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only\n allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and\n validating a server TLS certificate for upstream connections. This vulnerability is only applicable to\n situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which\n you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com,\n and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are\n vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use\n match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6,\n 1.13.4, 1.14.4, 1.15.0. (CVE-2020-15104)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2020-5765.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1764\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-citadel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-galley\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-istioctl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-mixc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-mixs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-node-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-pilot-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-pilot-discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-proxy-init\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:istio-sidecar-injector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kata-image\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kata-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kubeadm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kubectl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kubelet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-api-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-istio-chart\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-prometheus-chart\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcne-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:olcnectl\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.14.35-1902.303.5.3.el7'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2020-5765');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.14';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'istio-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-citadel-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-galley-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-istioctl-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-mixc-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-mixs-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-node-agent-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-pilot-agent-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-pilot-discovery-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-proxy-init-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'istio-sidecar-injector-1.4.10-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kata-1.7.3-1.0.7.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kata-image-1.7.3-1.0.5.1.ol7_202007011859', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kata-runtime-1.7.3-1.0.5.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-container-4.14.35-1902.303.5.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-4.14.35'},\n {'reference':'kubeadm-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubeadm-1.14.9'},\n {'reference':'kubeadm-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubeadm-1.17.9'},\n {'reference':'kubectl-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubectl-1.14.9'},\n {'reference':'kubectl-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubectl-1.17.9'},\n {'reference':'kubelet-1.14.9-1.0.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubelet-1.14.9'},\n {'reference':'kubelet-1.17.9-1.0.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kubelet-1.17.9'},\n {'reference':'olcne-agent-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcne-api-server-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcne-istio-chart-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcne-nginx-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcne-prometheus-chart-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcne-utils-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'olcnectl-1.1.2-6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'istio / istio-citadel / istio-galley / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2021-07-30T06:24:44", "description": "kernel-uek-container\n[4.14.35-1902.303.5.3.el7]\n- rds: Deregister all FRWR mr with free_mr (Hans Westgaard Ry) [Orabug: 31476202]\n- Revert 'rds: Do not cancel RDMAs that have been posted to the HCA' (Gerd Rausch) [Orabug: 31475329]\n- Revert 'rds: Introduce rds_conn_to_path helper' (Gerd Rausch) [Orabug: 31475329]\n- Revert 'rds: Three cancel fixes' (Gerd Rausch) [Orabug: 31475318]\n[4.14.35-1902.303.5.2.el7]\n- rds: Three cancel fixes (Hakon Bugge) [Orabug: 31463014]\n[4.14.35-1902.303.5.1.el7]\n- x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}\n- x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}\n- x86/cpu: Add 'table' argument to cpu_matches() (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}\n- x86/cpu: Add a steppings field to struct x86_cpu_id (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}\n[4.14.35-1902.303.5.el7]\n- net/mlx5: Decrease default mr cache size (Artemy Kovalyov) [Orabug: 31446379]\n[4.14.35-1902.303.4.el7]\n- net/rds: suppress memory allocation failure reports (Manjunath Patil) [Orabug: 31422157]\n- rds: Do not cancel RDMAs that have been posted to the HCA (Hakon Bugge) [Orabug: 31422151]\n- rds: Introduce rds_conn_to_path helper (Hakon Bugge) [Orabug: 31422151]\nkata-image\n[1.7.3-1.0.5.1]\n- Address Kata CVE 2023\nkata-runtime\n[1.7.3-1.0.5]\n- Address Kata CVE-2020-2023\n- Address Kata CVE-2020-2024\n- Address Kata CVE-2020-2025\n- Address Kata CVE-2020-2026\nkata\n[1.7.3-1.0.7]\n- Address CVE-2020-2023\n- Address CVE-2020-2024\n- Address CVE-2020-2025\n- Address CVE-2020-2026\nkubernetes\n[1.14.9-1.0.6]\n- CVE-2020-8559: Privilege escalation from compromised node to cluster\n- CVE-2020-8557: Node disk DOS by writing to container /etc/hosts\n[1.14.9-1.0.5]\n- Update dependency on Kata containers to a build that includes fixes for CVE-2020-2023 thru CVE-2020-2026\nkubernetes\n[1.17.9-1.0.1.el7]\n- Added Oracle specific build files for Kubernetes\nistio\n[1.4.10-1.0.1]\n- CVE-2020-15104:\n Incorrect validation of wildcard DNS Subject Alternative Names\n[1.4.10-1.0.0]\n- Added Oracle Specific Build Files for istio/istio\nolcne\n[1.1.2-6]\n- Include kata-runtime in the default template\n[1.1.2-5]\n- CVE-2020-8559: Privilege escalation from compromised node to cluster\n- CVE-2020-8557: Node disk DOS by writing to container /etc/hosts\n[1.1.2-4]\n- Update arguments added for istio module.\n[1.1.2-3]\n- Ensure Istio sidecar injector uses valid executable\n[1.1.2-2]\n- Update Kubernetes to use Kata 1.7.3-1.0.7 to address CVE-2020-2023 thru CVE-2020-2026\n[1.1.2-1]\n- Added istio-1.4.10 charts and updated istio.yaml to use istio-1.4.10", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-22T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0543", "CVE-2020-10739", "CVE-2020-11080", "CVE-2020-15104", "CVE-2020-1764", "CVE-2020-2023", "CVE-2020-2024", "CVE-2020-2025", "CVE-2020-2026", "CVE-2020-8557", "CVE-2020-8559"], "modified": "2020-07-22T00:00:00", "id": "ELSA-2020-5765", "href": "http://linux.oracle.com/errata/ELSA-2020-5765.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
Hard coded cryptographic key in Kiali
