In this week’s digest, we’ll cover:
- Kibana security release.
- A vulnerability in Traefik that manages TLS connections.When
- Weak randomness of Webcrypto Keygen in NodeJS
Kibana Security Release
Type confusion: A program allocates or initializes a resource such as a pointer, object, or variable using one type, but later accesses that resource using a type that is incompatible with the original type . – MITER definition
CVSSv3.1: NIST – 8.8 (High) | CVE ID: CVE-2022-1364
7.17.8, 8.5.0 Security Updates: A type confusion vulnerability was discovered in the headless Chromium browser that Kibana relies on for its reporting functionality. This issue only affects on-premises Kibana instances on host operating systems (CentOS, Debian only) that have the Chromium sandbox disabled. The Chromium sandbox is enabled by default and cannot be disabled, so this issue does not affect Elastic Cloud. This issue also does not affect Elastic Cloud Enterprise.
![Kibana security release mitigation chart](https://www.linode.com/wp-content/uploads/2022/12/kibana-security-release.png)
Traefik vulnerability to manage TLS connections
CVSSv3.1:
- NIST – 6.6 (Medium)
- CNA (Github) – 8.1 (high)
CVE ID: CVE-2022-46153
Traefik is a modern HTTP reverse proxy and load balancer. Integrate with existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS) and configure automatically and dynamically.
Affected versions have a potential vulnerability in Traefik, which manages TLS connections. A router configured with a TLSOption that is not properly formatted will be published with an empty TLSOption. For example, a route secured using an mTLS connection configured with the wrong CA file will be exposed without validating the client certificate. We recommend upgrading to version 2.9.6.
patch: https://github.com/traefik/traefik/releases/tag/v2.9.6
Users who cannot upgrade should check the logs to detect the following error message and fix the TLS options directly.
Empty CA:
{"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}
Bad CA content (or bad path):
{"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"}
Unknown client authentication type:
{"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@file"}
Invalid Cipher Suite:
{"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}
Invalid curve preference:
{"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"}
Weak randomness of Webcrypto Keygen in NodeJS
CWE-338: Use of a cryptographically weak pseudorandom number generator (PRNG). The product uses a pseudo-random number generator (PRNG) in the security context, but the PRNG’s algorithm is not cryptographically strong.
CVSSv3.1: NIST – 9.1 (Critical) | CVE ID: CVE-2022-35255
The vulnerability introduced in NodeJS v15.0.0 was Contributor on HackerOne https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource() of SecretKeyGenTraits::DoKeyGen() Located in src/crypto/crypto_keygen.cc. There are two problems with this.
- Node.js made the call EntropySource() of SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and EntropySource() It always succeeds, but it can and does fail.
- Random data returned byEntropySource() Not suitable as keying material as it may not be cryptographically strong.
Collectively, this flaw allows remote attackers to decrypt sensitive information.