Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.
Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender.
Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta.
It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature.
Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.
Overview This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs.
Description Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE.
Actions taken by Joyent The fix has been made available for upstream inclusion and has been deployed into our production environment.
Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Triton On-Premises Object Storage (Manta) operators and Open Source Triton users of two vulnerabilities reported by Node.
Description Joyent has been made aware of the following Node vulnerabilities:
“Constant Hashtable Seeds” (CVE-2017-11499) - high severity “- c-ares NAPTR parser out of bounds access” (CVE-2017-1000381) - low severity Of the two, only the high-severity “Constant Hashable Seeds” vulnerability has been determined to have any potential effect on Joyent’s infrastructure/services.