Unencrypted traffic between nodes when using WireGuard and L7 policies

Impact In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes. - Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS prox...

Design/Logic Flaw

A flaw was found in the Open Virtual Network OVN. In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service...

CVE-2024-2182

A flaw was found in the Open Virtual Network OVN. In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service...

CVE-2024-2182

A flaw was found in the Open Virtual Network OVN. In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service...

BIT-ETCD-2023-32082 etcd key name can be accessed via LeaseTimeToLive API

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...

February 13, 2024—KB5034769 (OS Build 25398.709)

February 13, 2024—KB5034769 OS Build 25398.709 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server, version 23H2, see its update history page. Improvements This security update...

GHSA-475G-VJ6C-XF96 CrateDB database has an arbitrary file read vulnerability

Summary There is an arbitrary file read vulnerability in the CrateDB database, and authenticated CrateDB database users can read any file on the system. Details There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, a...

CVE-2023-52251

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/topic/messages...

Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine GKE that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster. The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many ...

Fedora: Security Advisory (FEDORA-2023-9a74d212f8)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Vulnerabilities fixed in Oracle MySQL

Oracle has fixed vulnerabilities in several MySQL products. A malicious party can exploit the vulnerabilities to launch attacks execute attacks that can lead to the following categories of damage: Denial-of-Service DoS. Manipulation of data Remote code execution User rights Access to sensitive da...

PT-2024-4672 · Elastic · Elasticsearch

Name of the Vulnerable Software and Affected Versions: Elasticsearch versions prior to 8.14.0 Description: The issue is related to the implementation of the Elasticsearch search system's application programming interface, specifically with the cross-cluster API key. If a cross-cluster API key...

GHSA-HW4X-MCX5-9Q36 Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users

Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects a binary, not a library in a supported ecosystem. Therefore, users of the library should not receive alerts. This link is maintained to preserve external references. Original Description Impact An authenticated...

[SECURITY] Fedora 39 Update: slurm-22.05.11-2.fc39

Slurm is an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for Linux clusters. Components include machine status, partition management, job management, scheduling and accounting modules...

CVE-2023-51663

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect OIDC email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change...

Virtuozzo Hybrid Infrastructure 5.4 Update 4 Hotfix 5 (5.4.4-148)

This update provides stability and performance improvements. Vulnerability id: VSTOR-77435, VSTOR-77436 Performance improvements in the Cinder service in huge clusters. Vulnerability id: VSTOR-78255 Prevented installation of packages that were not downloaded completely. Vulnerability id:...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by Kubernetes API server security vulnerabilities (CVE-2023-39325 and CVE-2023-44487)

Summary Red Hat OpenShift on IBM Cloud is affected by security vulnerabilities in the Kubernetes API server that may allow a denial of service attack from unauthenticated clients CVE-2023-39325 and CVE-2023-44487. Vulnerability Details CVEID: CVE-2023-39325 Description: A malicious HTTP/2 client...

Important: Red Hat Bug Fix Advisory: LVMS 4.14.z Bug Fix and Enhancement update

Updated container images that fix multiple bugs are now available for LVMS 4.14.z. Logical volume manager storage LVMS uses the TopoLVM CSI driver to dynamically provision local storage on single node OpenShift clusters. Logical volume manager storage creates thin-provisioned volumes using the...

Rocky Linux 8 : Rocky Enterprise Software Foundation Ceph Storage 4.1 (RLSA-2020:2231)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2020:2231 advisory. - A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. A...

Privilege Escalation

github.com/kubernetes-csi/csi-proxy is vulnerable to Privilege Escalation. The vulnerability is caused by insufficient input sanitization while constructing different commands from the input string passed to different functions implemented in pkg/os/volume/api.go and pkg/os/volume/api.go. A user...