On this week’s digest, we’ll focus on:

• a Kibana safety launch;
• a vulnerability in Traefik managing TLS connections; and
• a weak randomness in Webcrypto Keygen on NodeJS

Kibana Safety Launch

Kind Confusion: This system allocates or initializes a useful resource reminiscent of a pointer, object, or variable utilizing one sort, but it surely later accesses that useful resource utilizing a sort that’s incompatible with the unique sort. – MITRE definition

CVSSv3.1: NIST – 8.8 (Excessive) | CVE ID: CVE-2022-1364

7.17.8, 8.5.0 Safety Replace: A sort confusion vulnerability was found within the headless Chromium browser that Kibana depends on for its reporting capabilities. This situation impacts solely on-premises Kibana situations on host working techniques the place the Chromium sandbox is disabled (solely CentOS, Debian). This situation doesn’t have an effect on Elastic Cloud, because the Chromium sandbox is enabled by default and can’t be disabled. This situation additionally doesn’t have an effect on Elastic Cloud Enterprise.

Vulnerability in Traefik Managing TLS Connections

CVSSv3.1: 

• NIST – 6.6 (Medium)
• CNA (Github) – 8.1 (Excessive)

CVE ID: CVE-2022-46153

Traefik is a contemporary HTTP reverse proxy and cargo balancer. It integrates together with your present infrastructure parts (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS) and configures itself routinely and dynamically. 

In affected variations, there’s a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is uncovered with an empty TLSOption. As an example, a route secured utilizing an mTLS connection set with a improper CA file is uncovered with out verifying the shopper certificates. Customers are suggested to improve to model 2.9.6. 

Patch: https://github.com/traefik/traefik/releases/tag/v2.9.6

Customers unable to improve ought to examine their logs to detect the next error messages and repair the TLS choices immediately:

Empty CA:

{"degree":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}

Dangerous CA content material (or dangerous path):

{"degree":"error","msg":"invalid certificates(s) content material","routerName":"Router0@file"}

Unknown Shopper Auth Kind:

{"degree":"error","msg":"unknown shopper auth sort "FooClientAuthType"","routerName":"Router0@file"}

Invalid cipherSuites: 

{"degree":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}

Invalid curvePreferences:

{"degree":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"}

Weak Randomness in Webcrypto Keygen on NodeJS

CWE-338: Use of Cryptographically Weak Pseudo-Random Quantity Generator (PRNG). The product makes use of a Pseudo-Random Quantity Generator (PRNG) in a safety context, however the PRNG’s algorithm is just not cryptographically robust.

CVSSv3.1: NIST – 9.1 (Crucial) | CVE ID: CVE-2022-35255

A vulnerability launched in NodeJS v15.0.0 was found by a contributor on HackerOne through which https://github.com/nodejs/node/pull/35093 launched a name to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two issues with this:

1. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). Nonetheless, it doesn’t examine the return worth and assumes the EntropySource() at all times succeeds, however it might and generally will fail.
2. The random information returned byEntropySource() will not be cryptographically robust and due to this fact not appropriate as keying materials.

Total, this flaw permits a distant attacker to decrypt delicate data.

Patch: https://nodejs.org/en/weblog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255