SB2023011620 - Multiple vulnerabilities in Linaro Automated Validation Architecture (LAVA)

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2022-45132)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling Jinja2 templates. A remote user can submit a specially crafted Jinja2 template to the REST API endpoint for validating device configuration files in lava-server and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) XML Entity Expansion (CVE-ID: CVE-2022-44641)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to XML entity expansion when handling XMLRPC requests. A remote authenticated user can cause a recursive XML entity expansion and perform denial of service attack.

Remediation

Install update from vendor's website.

References

• https://lists.lavasoftware.org/archives/list/lava-announce@lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/
• https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
• https://www.debian.org/security/2023/dsa-5318