CVE-2017-9078 and CVE-2017-9080 are fixed in 5.3.0, 6.0.0 and 6.1.0 releases. Note that the release was marked as a security fix in the released version, meaning that the issue is considered critical, and therefore a hard upgrade is recommended for all affected environments. A fix for the issue has been merged in version 5.4.0.

Another issue was found in spinnaker, which leads to denial of service when using the rsync module. This flaw allows an attacker with sufficient privileges to crash an instance. This issue was fixed in the 5.3.0 release and in the 6.0.0 release. Note that the release was marked as a security fix in the released version, meaning that the issue is considered critical, and therefore a hard upgrade is recommended for all affected environments. A fix for the issue has been merged in version 5.4.0.

Overview of the Findings


"An issue was found in spinnaker, which leads to denial of service when using the rsync module." This is a security fix, meaning that all affected environments should upgrade.
The CVE number is CVE-2017-9078 and affect versions 5.3.0 and 6.1.0

Versions Affected

Both CVE-2022-2805 and CVE-2017-9078 were fixed in the 5.3.0, 6.0.0, and 6.1.0 releases of spinnaker. The fix for the issue was merged into version 5.4.0 of spinnaker as well.

The rsync module in spinnaker was found to have a bug leading to denial of service when using this module, which was fixed in the 5.3.0 release and in the 6.0.0 release of spinnaker as well. Note that the release was marked as a security fix in the released version, meaning that the issue is considered critical, and therefore a hard upgrade is recommended for all affected environments (e5/5/6). A fix for the issue has been merged into version 5.4 of spinnaker as well.

Timeline

Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/21/2022 14:40:00 UTC

References