SECURITY

ORCHESTRAL SECURITY POLICY

Security vulnerabilities are always considered the highest priority at Orchestral. This page documents known security vulnerabilities with Symphony and its associated applications.

Reporting a Vulnerability

Please report suspected vulnerabilities immediately to Orchestral at security@orchestral.ai. Include any relevant information about the vulnerabilities that may be useful to identify and resolve the issue. You will get a response within 48 hours, which could include a request for additional information.

Symphony - CVE Registry

CVE-2021-28667 - Unicode Payload Logging

Discovered Date: March 16, 2021

Severity: High

Attack Complexity: Low

Vulnerability: Composer v4.0 and earlier

Exploitation: Orchestral is not aware of any active malicious attempts to exploit the vulnerability

Resolution: Upgrade Composer to v4.1

Description:
This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.

The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.

References:
See the following blog post for a detailed description of the issue and resolutions.
https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/

Frequently Asked Questions:

Q: When should I upgrade?
A: Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.

Q: My server has Python 2 installed, not Python 3. Am I affected by this?
A: No, this only impacts servers with Python 3.

Q: Are there exploits available for this vulnerability?
A: Orchestral is not aware of any active malicious attempts to exploit the vulnerability.

Application Dependencies

Installation of Composer generally includes several dependent applications. See the list below for the references to any known vulnerabilities with any of the dependent applications.
StackStorm
StackStorm
The following page has updates for known security vulnerabilities with StackStorm:
https://stackstorm.com/security/
MongoDB
The following page has updates for known security vulnerabilities with MongoDB:
https://www.mongodb.com/alertshttps://www.mongodb.com/security
RabbitMQ
The following page has updates for known security vulnerabilities with RabbitMQ:
https://www.rabbitmq.com/changelog.html
Redis
The following page has updates for known security vulnerabilities with Redis:
https://www.cvedetails.com/vulnerability-list/vendor_id-18560/product_id-47087/Redislabs-Redis.html
Nginx
The following page has updates for known security vulnerabilities with Nginx:
https://nginx.org/en/security_advisories.html

Operating Systems

Composer may be installed on a choice of operating system. It is recommended that the underlying operating system be installed with recommended security guidelines per the operating system documentation. See the list below for the references to any known vulnerabilities with any of the operating systems.
Ubuntu
he following pages have updates for known security vulnerabilities with Ubuntu:
https://ubuntu.com/security/noticeshttps://ubuntu.com/security
RHEL
The following page has updates for known security vulnerabilities with RHEL:
https://access.redhat.com/security/security-updates/https://access.redhat.com/security/