top of page

Security Policy

ORCHESTRAL SECURITY POLICY

Security vulnerabilities are always considered the highest priority at Orchestral. This page documents known security vulnerabilities with Symphony and its associated applications.

Reporting a Vulnerability

Please report suspected vulnerabilities immediately to Orchestral at security@orchestral.ai. Include any relevant information about the vulnerabilities that may be useful to identify and resolve the issue. You will get a response within 48 hours, which could include a request for additional information.

Symphony - CVE Registry

CVE-2021-28667 - Unicode Payload Logging
Discovered Date: March 16, 2021
Severity: High
Attack Complexity: Low
Vulnerability: Composer v4.0 and earlier
Exploitation: Orchestral is not aware of any active malicious attempts to exploit the vulnerability
Resolution: Upgrade Composer to v4.1


Description:
This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.

The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.

References:
See the following blog post for a detailed description of the issue and resolutions.
https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/

Frequently Asked Questions:


Q: When should I upgrade?
A: Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.

Q: My server has Python 2 installed, not Python 3. Am I affected by this?
A: No, this only impacts servers with Python 3.

Q: Are there exploits available for this vulnerability?
A: Orchestral is not aware of any active malicious attempts to exploit the vulnerability.

StackStorm

The following page has updates for known security vulnerabilities with StackStorm:

https://stackstorm.com/security/

stackstorm-logo.png

MongoDB

The following page has updates for known security vulnerabilities with MongoDB:

https://www.mongodb.com/alerts
https://www.mongodb.com/security

mongodb-logo.png

RabbitMQ

The following page has updates for known security vulnerabilities with RabbitMQ:

https://www.rabbitmq.com/changelog.html

rabbitmq-logo.png

Redis

The following page has updates for known security vulnerabilities with Redis:

https://www.cvedetails.com/vulnerability-list/vendor_id-18560/product_id-47087/Redislabs-Redis.html

redis-logo.jpg

Nginx

The following page has updates for known security vulnerabilities with Nginx:

https://nginx.org/en/security_advisories.html

nginx-logo.png

Application Dependencies

Installation of Composer generally includes several dependent applications. See the list below for the references to any known vulnerabilities with any of the dependent applications.

Ubuntu

he following pages have updates for known security vulnerabilities with Ubuntu:

https://ubuntu.com/security/notices

https://ubuntu.com/security

ubuntu-logo.png

RHEL

The following page has updates for known security vulnerabilities with RHEL:

https://access.redhat.com/security/security-updates/

https://access.redhat.com/security/

RHEL-logo-1.png

Operating Systems

Composer may be installed on a choice of operating system. It is recommended that the underlying operating system be installed with recommended security guidelines per the operating system documentation. See the list below for the references to any known vulnerabilities with any of the operating systems.

Getting Started

Orchestral's solutions are available as free 30-day Proof of Value evaluations. To get started, just click the "FREE TRIAL" button at the top of this page and complete the Trial Request Form. If you'd like to see a demo first, just click the "Book a Demo" button below to book a date/time that works best for you. Otherwise, you can get started by emailing us at info@orchestral.ai.

Ready to see for yourself?

We'd love to show you how Orchestral.ai enables you to address a broad spectrum of orchestration & automation challenges.

bottom of page