Security Issues¶
Important
Please send security vulnerability reports to the Help Desk.
Submitting an Issue¶
When we receive a security issue we evaluate it and, if we identify it as a vulnerability, we will work to fix it or to propose a remediation according to the issue severity.
Embedded COTS¶
The following cots library are integrated in Punchplatform deployment and are used in integration with Punchplatform proprietary code :
| COTS | Version |
|---|---|
| Kafka | 2.12-2.8.1 |
| Spark | 2.4.3 |
| Storm | 2.3.0 |
| Zookeeper | 3.7.0 |
| Auditbeat | 7.10.2 |
| Elasticsearch | 7.10.2 |
| Filebeat | 7.10.2 |
| Kibana | 7.10.2 |
| Logstash | 7.10.2 |
| Metricbeat | 7.10.2 |
| Packetbeat | 7.10.2 |
| ModSecurity | 2.9.0-1 |
| OpenDistro Security for ES | 1.13.1.0 |
| OpenDistro Security for Kibana | 1.13.0.1 |
| OpenDistro SQL for ES | 1.13.2.0 |
| Minio | RELEASE.2020-08-26T00-00-49Z |
| APM | 7.10.2 |
| ES Curator | 7.10.2 |
| Ceph | 13.2.5 |
| Clickhouse | 20.4.6.53 |
| Elastalert | 0.2.4 |
| MlFLow | 1.8.0 |
| Opensearch | 1.2.4 |
| Opensearch Dashboards | 1.2.0 |
Punch plugins¶
| Punch Plugin | Version |
|---|---|
| Data feedback | 2.1.3 |
| Data extraction | 1.2.5 |
| Punch documentation | 1.0.3 |
Third-party libraries¶
| Library | Version |
|---|---|
| siddhi-core | 4.3.17 |
| curl | 7.74.0 |
| Jinja2 | 2.11.2 |
| jq | 1.6 |
| sshpass | 1.06 |
| unzip | 6.00 |
| ansible | 2.9.0 |
| git | 2.30.0 |
| wget | 1.19.4 |
| vim | 8.0 |
Severity Levels¶
Punchplatform security advisories include a severity level. This severity level is based on our self-appreciation for each specific vulnerability for the Punchplatform product.
- Critical
- High
- Medium
- Low
Severity Level: Critical¶
Vulnerabilities that score in the critical range usually have most of the following characteristics:
-
Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
-
Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials.
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place.
For example, a mitigating factor could be if your installation is not accessible from the Internet.
Severity Level: High¶
Vulnerabilities that score in the high range usually have some of the following characteristics:
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium¶
Vulnerabilities that score in the medium range usually have some of the following characteristics:
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low¶
Vulnerabilities in the low range typically have very little impact on an platform's business. Exploitation of such vulnerabilities usually requires local or physical system access.
Announced Vulnerabilities¶
| Security Advisory | Date | Level | Component | Affects | Vulnerability summary | Mitigation |
|---|---|---|---|---|---|---|
| CVE 2020-26296 | 2021-02-10 | low | Vega | prior 6.3.3 | Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions | Upgrade to 6.4.0 or change settings ‘vega.enabled: false’ in the kibana.yml file |
| CVE-2020-8203 | 07/15/2020 | low | lodash | prior 6.3 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | Work in progress to upgrade internal dependency on punchplatform-plugin and punchplatform-feedback. |
| CVE-2020-7676 | 06/08/2020 | low | angular | prior 6.3 | angular.js prior to 1.8.0 allows cross site scripting. | None of the embedded components provides a CVE based on this vulnerability. |
| CVE-2020-7017 | 07/27/2020 | low | kibana | prior 6.3.3 | The region map visualization in Kibana contains a stored XSS flaw. | Upgrade to 6.4.0 or change settings ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations. |
| CVE-2020-7016 | 07/27/2020 | low | Timelion | prior 6.3.3 | Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. | Upgrade to 6.4.0 or change settings ‘timelion.enabled: false’ in the kibana.yml file |
| CVE-2018-6341 | 12/31/2018 | low | react | prior 6.3.3 | React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names | None of the embedded components provides CVE based on this vulnerability. |
How to upgrade¶
In the case of updating a component of the platform, the guides below let you apply the corrections in function of the type of component to be updated.
-
How to patch a COTS component like Storm, Spark, Kafka or Zookeeper.
-
How to patch a Punch Jar component like punchplatform-operator, punchplatform-shiva...
Upgrade an Elastic component
Because Elasticsearch, Kibana, Logstash and the Elastic Beats are dependent on each other for the same versions. Applying a patch on one of the components may cause the other components to update.
- How to patch an Elastic component like Elasticsearch, Kibana, Metricbeat, Filebeat, Auditbeat, Logstash.
- How to patch Kibana for security reason
- How to switch of Elasticsearch version with the deployer