Background: What is Apache Airflow used for?

Apache Airflow is an open-source tool to programmatically author, schedule, and monitor workflows. It is one of the most robust platforms used by Data Engineers for orchestrating workflows or pipelines. You can easily visualize your data pipelines’ dependencies, progress, logs, code, trigger tasks, and success status.

What is the difference between extras and providers in Airflow?

Extras are standard Python setuptools feature that allows to add additional set of dependencies as optional features to “core” Apache Airflow. One of the type of such optional features are providers packages, but not all optional features of Apache Airflow have corresponding providers.

Providers can contain operators, hooks, sensor, and transfer operators to communicate with a multitude of external systems, but they can also extend Airflow core with new capabilities. You can install those provider packages separately in order to interface with a given service.

What is deployment Mode in Apache Spark?

• Client mode – As the behavior depends on the driver component, so here job will run on the machine from which job is submitted. So this mode is client mode.
• Cluster mode – Here driver component of spark job will not run on the local machine from which job is submitted, so this mode is cluster mode.

Vulnerability Details: Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected.

Affected versions: Apache Airflow Spark Provider before 4.1.3

Remedy: Patched versions 4.1.3

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-40272

Background: VMware VMXNET3 is a para-virtual(Hypervisor aware) network driver. The goal to designed and developed to address the network complexities in a virtualized infrastructure. A para-virtual driver is a high-performance driver that significantly reduces the overhead caused by the emulation of the corresponding physical device. VMXNET3 is aware of the hypervisor and does not require an emulation layer, thereby enhancing the performance by almost 20% and reducing the overall CPU consumption.

Vulnerability details: A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv[.]c in VMware’s vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.

Mitigation: Mitigation for this issue is to skip loading the affected module “vmxnet3” onto the system until the fix is available, this can be done by a blacklist mechanism which will ensure the driver is not loaded at the boot time.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-4387

Preface: The official description of this design flaw (CVE-2023-28198) is caused by WebKit. No any other details! Do you have interested take a closer look? But don’t worry, this CVE marked reserved in March 2023. and allow for announcements on August 15, 2023 afterwards. I believe Apple has successfully handled it.

Background: WebKit, the engine, is split into different components that encapsulate its different parts.

It contains the core features of the engine (rendering, layout, platform access, HTML and DOM support, the graphics layer, etc). However, some of these ultimately depend heavily on the OS and underlying software platform in order to function. For example: how do we actually do any I/O on different platforms? How do we render onscreen? What’s the underlying multimedia platform and how does it decode media and play it?

Vulnerability details: The vulnerability allows a remote attacker to compromise vulnerable system. The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Official announcement: For details, please refer to the link – https://support.apple.com/en-us/HT213670

Preface: A system call is a way for programs to interact with the operating system. A computer program makes a system call when it makes a request to the operating system’s kernel. System call provides the services of the operating system to the user programs via Application Program Interface(API).

The ioctl() system call manipulates the underlying device parameters of special files.

Background: The AMD Ryzen™ Master Monitoring SDK is a public distribution that allows software developers to add processor and memory functions to their own utility in conjunction with AMD Ryzen™ and AMD Ryzen™ Threadripper™ processor products.

All AMD Ryzen CPUs are overclock-ready so you can skip checking if your processor supports overclocking if you have a Ryzen laptop. However, you do still need to check if your motherboard supports overclocking. Ryzen supplies its own overclocking utility called Ryzen Master.

Vulnerability details: Insufficient validation in the IOCTL (Input Output Control) input buffer in AMD RyzenTM Master may permit a privileged attacker to perform memory reads and writes, potentially leading to a loss of confidentiality or arbitrary kernel execution.

Official announcement: For details, please refer to below links

(Amazon Linux Security Center) – https://explore.alas.aws.amazon.com/CVE-2023-20564.html

(AMD Security Bulletin) – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7004.html

Background: gRPC is a powerful open source RPC (Remote Procedure Call) framework for building scalable and fast APIs. It allows client and server applications to communicate transparently and develop connected systems. Many leading tech companies have adopted gRPC.

Vulnerability details:

Three vectors were found that allow the following DOS attacks:

– Unbounded memory buffering in the HPACK parser – Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

– The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.

– HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.

– gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

RedHat Official announcement: Openshift uses gRPC lib with Kuryr component. In Openshift, Kuryr is not configured to run the code using gRPC lib. Hence, The impact for Openshift is set to moderate. For details, please refer to the link – https://access.redhat.com/security/cve/cve-2023-33953

Preface: To be or not to be, AMD is not aware of any exploit of “CVE-2023-20569” outside of the research environment in this moment.

Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.

• Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
• Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.

Vulnerability details: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure. Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations.

Furthermore, AMD has disclosed a security issue affecting AMD CPUs that may allow malicious code in a guest VM to infer the contents of memory belonging to other processes running on the same CPU core.  Although this is not an issue in the Citrix Hypervisor product itself, AMD have included product changes and updated microcode to mitigate this CPU hardware issue.

Remark: Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor.

Official announcement: Citrix Hypervisor Security Bulletin for CVE-2023-20569. For details, please refer to the link – https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982

Preface: Android security bulletin published on 7th Aug 2023, CVE-2023-21287 may causes remote code execution.
Officials did not disclose specific details. But what is the design weaknesses?

Background: The Android security update is available for all Android versions that still receive regular updates (Android 11, 12, and 13). If you are using Android 10 or below, On March 2023, Android 10 end of life, so it do not provides security update anymore.
FreeType is a freely available software library to render fonts.
It is written in C, designed to be small, efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats.
Some products that use FreeType for rendering fonts on screen or on paper, either exclusively or partially:

• GNU/Linux and other free Unix operating system derivates like FreeBSD or NetBSD;
• Platforms for smart devices, including Android, Tizen, and Roku;
• iOS, Apple’s mobile operating system for iPhones and iPads;

Vulnerability details: A vulnerability in Framework that could allow for remote code execution.

Official announcement: For detail, please refer to the link – https://android.googlesource.com/platform/external/freetype/+/a79e80a25874dacaa266906a9048f13d4bac41c6

Preface: A message can be considered a packet of data conforming to a specific protocol that contains information in well defined fields.

Background: MSMQ(Microsoft Message Queuing) provides a distributed and decoupled way of sending and receiving messages between applications. MSMQ acts as a queue manager that easily decides when applications should be isolated and work even if other applications they interact with are down or unavailable.

The Code Block Component is used to extend the functionality of the XML comments <code> tag.

Syntax highlighting of code blocks in <code> tags. Languages supported include C#, VB[.]NET, JScript[.]NET, C++, J#, C, JavaScript, VBScript, XAML, XML, HTML, SQL script, Python, PowerShell script, and batch file script.

Vulnerability details: A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. However, in order to exploit this flaw, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.

Messages can have no more than 4 MB of data. This restriction is due to the memory mapped files used by Message Queuing to store the message data. These memory-mapped files are stored in the MSMQ\Storage folder on the computer where the queue resides.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-35385

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35385

Preface: Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. The KDC has three main components: An authentication server that performs the initial authentication and issues ticket-granting tickets for users.

Background: Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.

Ref: The patch adds Privileged Attribute Certificate (PAC) signatures to the Kerberos PAC buffer. A PAC is an extension to a Kerberos ticket that contains information about a user’s privileges.

What are the changes in Kerberos October 2023?

October 10, 2023 – Full Enforcement phase

Removes support for the registry subkey KrbtgtFullPacSignature. Removes support for Audit mode. All service tickets without the new PAC signatures will be denied authentication.

Vulnerability details: lib/kadm5/kadm_rpc_xdr[.]c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Official announcement: For details, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2023-36054

Preface: NET 5 and [.] NET 6 are supported on multiple operating systems, including Windows, Linux, Android, iOS /tvOS, and macOS. The only difference is that[ .] NET 6 is further supported on Windows Arms64 and macOS Apple Silicon while .

Background: ASP[.]NET Core 6 is built on top of the [.] NET Core runtime and allows you to build and run applications on Windows, Linux, and macOS. ASP[.]NET Core 6 combines the features of Web API and MVC.

Red Hat Enterprise Linux (RHEL) 8 and later .NET 6 is capable for the IBM Z and LinuxONE (s390x) architectures, along with AMD and Intel (x64_64) and ARM (aarch64). IBM Z and LinuxONE is fully enabled throughout all .NET core components with the Mono runtime available (currently no CoreCLR support).

Vulnerability details: A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.

CVE-2023-33170 – Security Feature Bypass – Race Condition in ASP.NET Core SignInManager PasswordSignInAsync Method.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-33170