SECURITY
ORCHESTRAL SECURITY POLICY
Security vulnerabilities are always considered the highest priority at Orchestral. This page documents known security vulnerabilities with Symphony and its associated applications.
Reporting a Vulnerability
Please report suspected vulnerabilities immediately to Orchestral at security@orchestral.ai. Include any relevant information about the vulnerabilities that may be useful to identify and resolve the issue. You will get a response within 48 hours, which could include a request for additional information.
Symphony - CVE Registry
CVE-2021-28667 - Unicode Payload Logging
Discovered Date: March 16, 2021
Severity: High
Attack Complexity: Low
Vulnerability: Composer v4.0 and earlier
Exploitation: Orchestral is not aware of any active malicious attempts to exploit the vulnerability
Resolution: Upgrade Composer to v4.1
Description:
This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.
The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.
References:
See the following blog post for a detailed description of the issue and resolutions.
https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/
Frequently Asked Questions:
Q: When should I upgrade?
A: Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.
Q: My server has Python 2 installed, not Python 3. Am I affected by this?
A: No, this only impacts servers with Python 3.
Q: Are there exploits available for this vulnerability?
A: Orchestral is not aware of any active malicious attempts to exploit the vulnerability.
Discovered Date: March 16, 2021
Severity: High
Attack Complexity: Low
Vulnerability: Composer v4.0 and earlier
Exploitation: Orchestral is not aware of any active malicious attempts to exploit the vulnerability
Resolution: Upgrade Composer to v4.1
Description:
This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.
The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.
References:
See the following blog post for a detailed description of the issue and resolutions.
https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/
Frequently Asked Questions:
Q: When should I upgrade?
A: Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.
Q: My server has Python 2 installed, not Python 3. Am I affected by this?
A: No, this only impacts servers with Python 3.
Q: Are there exploits available for this vulnerability?
A: Orchestral is not aware of any active malicious attempts to exploit the vulnerability.
Application Dependencies
Installation of Composer generally includes several dependent applications. See the list below for the references to any known vulnerabilities with any of the dependent applications.
StackStorm
The following page has updates for known security vulnerabilities with StackStorm:
https://stackstorm.com/security/The following page has updates for known security vulnerabilities with StackStorm:
MongoDB
The following page has updates for known security vulnerabilities with MongoDB:
https://www.mongodb.com/alertshttps://www.mongodb.com/securityThe following page has updates for known security vulnerabilities with MongoDB:
RabbitMQ
The following page has updates for known security vulnerabilities with RabbitMQ:
https://www.rabbitmq.com/changelog.htmlThe following page has updates for known security vulnerabilities with RabbitMQ:
Redis
The following page has updates for known security vulnerabilities with Redis:
https://www.cvedetails.com/vulnerability-list/vendor_id-18560/product_id-47087/Redislabs-Redis.htmlThe following page has updates for known security vulnerabilities with Redis:
Nginx
The following page has updates for known security vulnerabilities with Nginx:
https://nginx.org/en/security_advisories.htmlThe following page has updates for known security vulnerabilities with Nginx:
Operating Systems
Composer may be installed on a choice of operating system. It is recommended that the underlying operating system be installed with recommended security guidelines per the operating system documentation. See the list below for the references to any known vulnerabilities with any of the operating systems.
Ubuntu
he following pages have updates for known security vulnerabilities with Ubuntu:
https://ubuntu.com/security/noticeshttps://ubuntu.com/securityhe following pages have updates for known security vulnerabilities with Ubuntu:
RHEL
The following page has updates for known security vulnerabilities with RHEL:
https://access.redhat.com/security/security-updates/https://access.redhat.com/security/The following page has updates for known security vulnerabilities with RHEL: