Ava-670: Users with admin permissions able to deny service to Ava camera and Aware

Release Date

7th of October 2022.

Overview

A vulnerability in Golang's compress/gzip (CVE-2022-30631) package meant an Ava Aware user with admin permissions could cause a denial of service for on-premises systems. A vulnerability in Golang's encoding/gob (CVE-2022-30635) allowed the possibility of a denial of service to the Ava Aware or Ava camera by users with shell access to the systems.

Affected Products

  • Ava Aware:
    • All Stable upgrade channel versions before 5.0.4
    • All Beta upgrade channel versions before 5.1.0
  • Ava cameras:
    • All Stable upgrade Channel versions before 5.0.4
    • All Beta upgrade channel versions before 5.1.0

Unaffected Products

  • Ava Aware:
    • All Stable upgrade channel versions after and including 5.0.4
    • All Beta upgrade channel versions after and including 5.1.0
  • Ava cameras:
    • All Stable upgrade channel versions after and including 5.0.4
    • All Beta upgrade channel versions after and including 5.1.0
  • Ava Cloud: all versions

Resolution

This issue has been fixed in Ava Aware Beta upgrade channel version 5.1.0 and Stable upgrade channel version 5.0.4.

It is strongly recommended that all installations running an affected version are upgraded to the latest release as soon as possible. Releases are available to download.

This issue has been fixed in Ava camera Beta upgrade channel version 5.1.0 and Stable upgrade channel version 5.0.4.

It is strongly recommended that all Ava camera installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface for Ava managed cameras and the Ava camera User Interface for unmanaged Ava cameras.

Vulnerability Information

Mitigations

There are no known mitigations for this issue.

Workarounds

There are no known workarounds for this issue.

Acknowledgements

Issues found and reported by the Golang team.

Disclosure Timeline

  • 13/07/2022 Issue found by the Golang team.
  • 13/07/2022 Root cause established
  • 13/07/2022 Fix identified
  • 14/07/2022 Patched Ava Aware (Beta upgrade channel) released
  • 14/07/2022 Patched Ava Aware (Stable upgrade channel) released
  • 14/07/2022 Patched Ava cameras (Beta upgrade channel) released
  • 14/07/2022 Patched Ava cameras (Stable upgrade channel) released
  • 14/07/2022 Preliminary vulnerability advisory published
  • 07/10/2022 Vulnerability publicly disclosed