AVA-283: vcore database container image containing third party software with vulnerabilities
22nd July 2020.
The vcore database container was found to contain some vulnerable software. Almost all of the vulnerabilities were found to have no impact on our product. However there was one vulnerability that presented a small opportunity for an internal actor to cause a denial of service (DoS).
- Vaion vcore: All Beta Upgrade Channel versions before 2.3.1
- Vaion vcore: All Stable Upgrade Channel versions before 2.3.4
- Vaion vcam: All versions.
- Vaion vcloud: All versions
This issue has been fixed in vcore Beta Upgrade Channel version 2.3.1 and Stable Upgrade Channel version 2.3.4.
We recommended that all vcore installations running an affected version upgrade to the latest release at their earliest convenience. Releases are available to download through the vcore user interface.
vcore uses a database container exposed internally on the server. The database software makes use of a library used for unicode text handling which was vulnerable to an integer overflow vulnerability. It is possible for an authenticated user using the vcore user interface to store unicode text into the database which, when handled by the vulnerable code, could cause a crash of the db container.
- CVE: pending
- CVSSv3 score: 2.1 (low)
- CVSSv3 vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L/RL:O
Issue found internally by Ava Security.
- 17/06/2020 Issue found internally by Ava Security
- 17/06/2020 Root cause established
- 18/06/2020 Fix identified
- 07/07/2020 Patched vcore 2.3.1 (Beta upgrade channel) released
- 22/07/2020 Patched vcore 2.3.4 (Stable upgrade channel) released
- 22/07/2020 Vulnerability publicly disclosed