Ava-283: vcore database container image containing third party software with vulnerabilities

Release Date

22nd July 2020.

Overview

The vcore database container was found to contain some vulnerable software. Almost all of the vulnerabilities were found to have no impact on our product. However there was one vulnerability that presented a small opportunity for an internal actor to cause a denial of service (DoS).

Affected Products

• Vaion vcore: All Beta Upgrade Channel versions before 2.3.1
• Vaion vcore: All Stable Upgrade Channel versions before 2.3.4

Unaffected Products

• Vaion vcam: All versions.
• Vaion vcloud: All versions

Resolution

This issue has been fixed in vcore Beta Upgrade Channel version 2.3.1 and Stable Upgrade Channel version 2.3.4. We recommended that all vcore installations running an affected version upgrade to the latest release at their earliest convenience. Releases are available to download through the vcore user interface.

Vulnerability Information

vcore uses a database container exposed internally on the server. The database software makes use of a library used for unicode text handling which was vulnerable to an integer overflow vulnerability. It is possible for an authenticated user using the vcore user interface to store unicode text into the database which, when handled by the vulnerable code, could cause a crash of the db container.

• CVE: pending
• CVSSv3 score: 2.1 (low)
• CVSSv3 vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L/RL:O

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 17/06/2020 Issue found internally by Ava Security
• 17/06/2020 Root cause established
• 18/06/2020 Fix identified
• 07/07/2020 Patched vcore 2.3.1 (Beta upgrade channel) released
• 22/07/2020 Patched vcore 2.3.4 (Stable upgrade channel) released
• 22/07/2020 Advisory published internally
• 22/07/2020 Vulnerability publicly disclosed