Headline
CVE-2023-30948: Palantir | Trust and Security Portal
A security defect in Foundry’s Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it’s content.
This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.
Palantir Security Bulletin - PLTRSEC-2023-16
Vulnerabilities
Copy link
Security Bulletin
Bulletin ID: PLTRSEC-2023-16
CVE: CVE-2023-30948
Affected Products / Versions: comments, versions less than 2.249.0
Publication Date: June 06, 2023
Summary
A security defect was discovered in Foundry’s Comments functionality. A fix has been applied and rolled out to your Foundry environment. The vulnerability allowed an authenticated user to retrieve attachments tied to comments if the random UUID associated with that attachment was discovered.
Background
A security defect in Foundry’s Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it’s content.
An investigation revealed no known exploitation of this vulnerability.
Details
When adding an attachment to a comment, the Comments Service returns a UUID which is used as a locator for that attachment in our primary datastore Alta.
This UUID is appended to attachment insertions when creating new comments. It was found that no additional authorization checks were performed when negotiating retrieval of the attachment. This resulted in a situation where an authenticated party could inject a valid UUID, if it were discovered, to a comment creation request and leak the contents of the attachment associated with the injected UUID from an unrelated comment that they may otherwise be unable to see.
Due to the nature of UUIDs, successful exploitation of this vulnerability would require the user to discover a target UUID via other means, or otherwise invest considerable resources in attempting to brute force a valid UUID.
Remediation
This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.
Timeline
N/A
Acknowledgement
This issue was identified by an external security researcher as part of our bug bounty program.
Published at N/A
Palantir Security Bulletin - PLTRSEC-2023-17
Vulnerabilities
Copy link
PLTRSEC-2023-17****Summary
Palantir discovered a software bug in a recently released version of Foundry’s Lime2 service, one of the services backing the Ontology. The software bug has been fixed and the fix has been deployed to your hosted Foundry environment. The vulnerability allowed authenticated users within a Foundry organization to potentially bypass discretionary or mandatory access controls under certain circumstances.
Background
A software bug in Foundry’s Lime2 service (versions 2.519.0 through 2.531.0) occurred, and resulted in the service not correctly verifying permissions when API queries were issued through Foundry’s Phonograph service under certain circumstances. The regression introduced by this software bug manifested in a way where authenticated users within a Foundry organization could potentially bypass discretionary or mandatory access controls applied to objects with discover permissions for their account.
A thorough investigation revealed no known exploitation of this bug on Palantir managed or on-premise environments.
Details
The vulnerability could potentially impact authenticated users’ front-end and back-end access. For front-end access, users with discovery (view) permissions on an object type may have been able to view the object type and observe aggregations related to the object type. For back-end access, the impacted phonograph search API endpoint may have returned a list of objects and associated properties that did not respect mandatory or discretionary controls. However, data returned via this API would respect GPS security constraints.
Successful exploitation of this bug via back-end access would require elevated permissions within Foundry, knowledge of the phonograph2 API endpoints, and specific resource identifiers, which are generally undiscoverable to non-privileged users.
For front-end access, users with discovery (view) permissions on an object type may have been able to:
- View the object type and observe aggregations related to the object type, such as the count of objects and properties.
- Access a small subset of Foundry user interface components, including Object Explorer, Workshop, and Search, possibly exposing some metadata to users.
- Direct loads or reads of object data (e.g., rows, columns) remained protected in all cases by role-based security controls and were not visible to unauthorized users. Despite these exposures, the risk of unauthorized front-end data access is considered low.
For back-end access, the impacted Phonograph2 API endpoints may have exhibited the following behaviors:
The API endpoints may have returned a list of objects and associated properties that did not respect mandatory or discretionary controls.
Data returned via impacted API endpoints would have continued to respect granular permission service (GPS) security constraints and only displayed data the requestor was authorized to view for the relevant policy. However, this could have inadvertently revealed object metadata to the requestor.
All other Phonograph2 API endpoints, such as the data load endpoints (e.g., getObject, getObjects, etc), continued to appropriately respect discretionary and mandatory access controls. Successful exploitation of this bug via back-end access would require:
Pre-existing elevated permissions within Foundry (e.g., ‘Ontology Administrator’).
Knowledge of the Phonograph2 API endpoints. Specific resource identifiers (e.g., GUIDs) which are generally undiscoverable to non-privileged users.
In certain cases, existing Slate dashboards may have relied on the discretionary permissions to limit the scope of the usage of the affected APIs for a subset of users of those dashboards. In such cases, users might have been inadvertently exposed to the list of objects and associated properties mentioned above. However, the likelihood of this occurring is believed to be low.
Remediation
The bug has been fixed as of Lime version 2.532.0, and the patch has been deployed to the affected Foundry environments. No ongoing risk of unintended data visibility is associated with this remediated vulnerability. No direct action is required from affected parties at this time.
Acknowledgement
This issue was identified internally at Palantir.
Published at N/A
Third Party Risk Assessment Platforms
General
Copy link
Many third-party organizations leverage “third-party risk assessment” platforms as part of their security due diligence efforts.
Unfortunately, the Palantir Information Security Team has increasingly observed that many of the platforms in this space are unreliable and include flawed “results” or “findings” which are irrelevant and erroneous. These platforms regularly misattribute information between unrelated organizations, employ questionable techniques resulting in data collection and completeness problems, and fundamentally do not provide valuable information about Palantir’s infrastructure or security risk.
At the date of this publication, historic substantive, true-positive findings observed in these platforms has been de minimus. Individually responding to erroneous findings across an increasing tapestry of vendors in this space is an onerous and expensive task which ultimately detracts from meaningful cybersecurity work. As such, it is the policy of the Palantir information security team not to respond to inquiries or “findings” generated by such vendors or platforms.
We believe this policy allows us to best direct our cybersecurity resources towards efforts that maximize the security for Palantir, and for our customers. This ultimately allows us to meet the highest bar for security, data protection, privacy, and compliance, to which we are committed. In furtherance of this commitment, through our Safebase portal, we have published detailed security documentation, including reliable information reflecting risk and posture management, penetration and security testing, our accreditations, security controls, and other relevant, and detailed, security and technical information in order to inform meaningful risk assessments by our customers and prospective customers.
We remain confident that these materials demonstrate how Palantir’s infrastructure and operations meet the highest security standards.
Published at N/A*
Palantir Security Bulletin - PALSEC-2023-01
Incidents
Copy link
Palantir Security Bulletin - PALSEC-2022-07
Incidents
Copy link
Palantir Security Bulletin - PALSEC-2022-05
Incidents
Copy link
Security Bulletin
A security bulletin has been publicly disclosed for our software.
PALSEC-2022-05
The delivery-metadata service in Palantir Apollo was found to permit API endpoints that did not adequately require authentication to query, potentially granting read access to metadata such as deployed software version numbers to unintended recipients. The subsequent investigation uncovered insufficient authentication controls in the team-ownership service as well, which is responsible for metadata pertaining to package installations. These vulnerabilities are resolved in apollo-deployment-state version 4.714.0, delivery-metadata version 2.565.0, and team-ownership version 0.171.0, respectively. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest version of all relevant Apollo services.
More Information
Full details of this security bulletin can be found in our GitHub repository.
Published at N/A
Palantir Security Bulletin - PALSEC-2022-04
Incidents
Copy link
Security Bulletin
A security bulletin has been publicly disclosed for our software.
PALSEC-2022-04
The Blobster service was found to have a cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Foundry to launch attacks against other users. This vulnerability is resolved in Blobster 3.228.0, which has been automatically deployed to all Apollo-managed Foundry instances. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest version of Blobster.
More Information
Full details of this security bulletin can be found in our GitHub repository.
Published at N/A
Palantir Security Bulletin - PALSEC-2022-03
Incidents
Copy link
Security Bulletin
A security bulletin has been publicly disclosed for our software.
PALSEC-2022-03
The Foundry Magritte plugin osisoft-pi-web-connector was found to be logging in a manner that captured authentication requests. This vulnerability is resolved in osisoft-pi-web-connector version 0.44.0. Magritte sources which leverage this plugin using HTTP Basic Authentication should change their OSISoft PI System account credentials.
More Information
Full details of this security bulletin can be found in our GitHub repository.
Published at N/A*
Palantir response to OpenSSL CVE-2022-3786 and CVE-2022-3602
Incidents
Copy link
Security Response******CVE-2022-3786 and CVE-2022-3602:******Background
On October 25th, the OpenSSL maintainers published an announcement to the community of a forthcoming release of version 3.0.7 which contained a patch for a CRITICAL vulnerability set to be released on November 1. Upon receiving the notification, the Palantir CIRT (Computer Incident Response Team) opened an investigation to determine the overall exposure to Palantir platforms and infrastructure. Subsequent notices from the OpenSSL maintainers indicated that only the 3.0.x branch contained the CRITICAL fix and so, in conjunction with our product development teams, we began to investigate and understand the usage of OpenSSL 3.0.x across our organization. By Friday October 28th we concluded our assessment and stood by for the November 1 release.
Yesterday, OpenSSL 3.0.7 was released which resolved two HIGH CVEs: CVE-2022-3786 and CVE-2022-3602. After the initial announcement on October 25th, the OpenSSL maintainers conducted further analysis of the issues and determined they were not as exploitable as initially thought. Regardless, the Palantir InfoSec Team treats all software issues of this nature with the utmost importance, regardless of the surrounding circumstances.
Palantir is not affected
Palantir is not affected by the OpenSSL vulnerabilities in CVE-2022-3786 and CVE-2022-3602:
After a comprehensive search for usage of the offending libraries we have no reliance on and have found no evidence of OpenSSL 3.0.x in our hosted infrastructure and products. There is no action required for any of our customers.
Published at N/A*
Related news
Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.
The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints.
IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 221827.
In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 .
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).
A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.
A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.
A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.
The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.
Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.
Palantir discovered a software bug in a recently released version of Foundry’s Lime2 service, one of the services backing the Ontology. The software bug has been fixed and the fix has been deployed to your hosted Foundry environment. The vulnerability allowed authenticated users within a Foundry organization to potentially bypass discretionary or mandatory access controls under certain circumstances.
JFrog argues vulnerability risk metrics need complete revamp
Welcome to this week’s edition of the Threat Source newsletter. I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase
Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.
Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.
Red Hat Security Advisory 2022-7288-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength general purpose cryptography library. Issues addressed include a buffer overflow vulnerability.
Red Hat Security Advisory 2022-7288-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength general purpose cryptography library. Issues addressed include a buffer overflow vulnerability.
By Deeba Ahmed The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week
By Deeba Ahmed The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week
Summary Summary Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. Any customer action that is required will be highlighted in this blog and our associated Security Update Guides (CVE-2022-3786 Security Update Guide and CVE-2022-3602 Security Update Guide).
In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or
An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3602: OpenSSL: X.509 Email Address Buffer Overflow * CVE-2022-3786: OpenSSL: X.509 Email Address Variable Length Buffer Overflow
An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3602: OpenSSL: X.509 Email Address Buffer Overflow * CVE-2022-3786: OpenSSL: X.509 Email Address Variable Length Buffer Overflow
Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.
Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to up...
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to up...
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email
The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.