Headline
CVE-2022-44641: Two security vulnerabilities in LAVA server - Lava-announce
In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.
We have recently fixed some serious security issues on LAVA server.
CVE-2022-44641: Recursive XML entity expansion
Users with valid accounts can submit a specially crafted XML document via the XMLRPC that causes a recursive XML entity expansion, consuming large amounts of resources and eventually cause a Denial of Service on the LAVA server.
This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/1bee0f8957741582c2bed800974f…
CVE-2022-45132: Code execution in jinja templates
A specially crafted jinja2 template can be submitted to a publicly accessible REST API endpoint without any authentication and cause a remote command execution as the same user that is running the LAVA server web application.
This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11.1, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2ed…
We strongly recommend that administrators upgrade to the 2022.11.1 release immediately, or failing that, at least apply the patches linked above locally to their lava server.
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)
Show replies by date
Related news
Debian Linux Security Advisory 5318-1 - Igor Ponomarev discovered that LAVA, a continuous integration system for deploying operating systems onto physical and virtual hardware for running tests, was suspectible to denial of service via recursive XML entity expansion.