Security issues

When we receive a security issue we evaluate it and, if we identify it as a vulnerability, we will work to fix it or to propose a remediation according to the issue severity.

Functionnal issues

This section lists functionnal issues requiring urgent upgrade or mitigation actions. If the level of the issue does not require immediat actions the issue only apears in releases notes.

Important:

Always feel free to raise an issue on the help desk.

Security issues

Severity Levels

Punchplatform security advisories include a severity level. This severity level is based on our self-appreciation for each specific vulnerability for the Punchplatform product.

  • Critical
  • High
  • Medium
  • Low

Severity Level: Critical

Vulnerabilities that score in the critical range usually have most of the following characteristics:

  • Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
  • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials.

For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place.

For example, a mitigating factor could be if your installation is not accessible from the Internet.

Severity Level: High

Vulnerabilities that score in the high range usually have some of the following characteristics:

  • The vulnerability is difficult to exploit.
  • Exploitation could result in elevated privileges.
  • Exploitation could result in a significant data loss or downtime.

Severity Level: Medium

Vulnerabilities that score in the medium range usually have some of the following characteristics:

  • Vulnerabilities where exploitation provides only very limited access.
  • Vulnerabilities that require user privileges for successful exploitation.

Severity Level: Low

Vulnerabilities in the low range typically have very little impact on an platform’s business. Exploitation of such vulnerabilities usually requires local or physical system access.

Announced Vulnerabilities

Security Advisory
Date
Level
Component
Affects Vulnerability summary Mitigation fixed in
CVE 2020-26296 2021-02-10 low Vega all versions before 6.4.0 Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions Upgrade to 6.4.0 or change settings vega.enabled: false in the kibana.yml file 6.4.0
CVE-2020-8203 07/15/2020 low lodash all versions before 6.3.4 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Work in progress to upgrade internal dependency on punchplatform-plugin and punchplatform-feedback. 6.3.4
CVE-2020-7676 06/08/2020 low angular N/A angular.js prior to 1.8.0 allows cross site scripting. None of the embedded components provides a CVE based on this vulnerability.
CVE-2020-7017 07/27/2020 low kibana all versions before 6.4.0 The region map visualization in Kibana contains a stored XSS flaw. Upgrade to 6.4.0 or change settings xpack.maps.enabled: false, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations. 6.4.0
CVE-2020-7016 07/27/2020 low Timelion all versions before 6.4.0 Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. Upgrade to 6.4.0 or change settings timelion.enabled: false in the kibana.yml file 6.4.0
CVE-2018-6341 12/31/2018 low reactN/A N/A React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names None of the embedded components provides CVE based on this vulnerability.

Functionnal Issues

Known Bugs

Issue ID Date Level Component Affects Issues summary Mitigation fixed in
#1630 2021-07-16 High Kafka consumer
from 6.0 to 6.3.3 included
incorrect committing of unacknowledged offsets that can lead to unprocessed data in incident context

add enable.auto.commit: false

cf mitigation

N/A

Mitigations

#1630

Add the  "enable.auto.commit": false setting in the settings section of all your kafka input nodes. You can confirm that this setting is in effect by reading the settings applied by the consumer, at the start of the storm/shiva worker task logs.