Pexip security bulletins
The following security bulletins are published by Pexip for issues affecting Pexip Infinity, the Pexip Connect apps, and the VMR self-service portal.
Please contact your Pexip authorized support representative for more information about these issues. This list covers issues addressed in v31.0 and later. For issues addressed in v30.x or earlier, see our documentation for previous releases.
More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.
Pexip Infinity
Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.
In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.
Reference | Description | Severity | Risk | Updated | Impacted versions | Addressed in version |
---|---|---|---|---|---|---|
Multiple |
Resolved minor issues: CVE-2020-36516, CVE-2021-32292, CVE-2022-20572, CVE-2022-3107, CVE-2022-3435, CVE-2022-3524, CVE-2022-3543, CVE-2022-3623, CVE-2022-3707, CVE-2022-4378, CVE-2022-48554, CVE-2023-0179, CVE-2023-0386, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-0465, CVE-2023-0466, CVE-2023-0590, CVE-2023-1095, CVE-2023-1206, CVE-2023-1249, CVE-2023-1252, CVE-2023-1255, CVE-2023-1998, CVE-2023-20588, CVE-2023-20900, CVE-2023-22998, CVE-2023-23006, CVE-2023-23931, CVE-2023-2650, CVE-2023-2975, CVE-2023-31130, CVE-2023-31248, CVE-2023-3138, CVE-2023-32233, CVE-2023-3390, CVE-2023-3446, CVE-2023-36053, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-38039, CVE-2023-3817, CVE-2023-38633, CVE-2023-39318, CVE-2023-39319, CVE-2023-4004, CVE-2023-40217, CVE-2023-4128, CVE-2023-4147, CVE-2023-4569, CVE-2023-4622, CVE-2023-4911 |
October 2023 | v33.0 | |||
CVE-2023-29331 |
A vulnerability exists in .NET when processing malicious X.509 client certificates that may consume excessive CPU and lead to a denial of service. CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity 32.1 |
High | High | July 2023 | 27.0 - 32.0 | 32.1 |
CVE-2023-37225 |
Cross-site scripting vulnerability in legacy webapp ("Webapp1") when using preconfigured links. CVSS3.1 base score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) Discussion: An attacker may achieve cross-site scripting by convincing a user to activate a crafted preconfigured link using the legacy Infinity Connect web app ("Webapp1").
Mitigation:
Resolution: Upgrade to Pexip Infinity 32.0. For deployments running Infinity v30.x and v31.x, contact your authorized Pexip support representative for a software bundle fix. Credit: This issue was responsibly disclosed by https://github.com/40826d. |
High | High | July 2023 | 5 through 31.3 | 32.0 |
Multiple |
Resolved minor issues: CVE-2022-3515, CVE-2022-3736, CVE-2022-3924, CVE-2022-4203, CVE-2022-4304, CVE-2022-32221, CVE-2022-38725, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255, CVE-2023-2650, CVE-2023-23916, CVE-2023-26463, CVE-2023-27537, CVE-2023-28484, CVE-2023-29469 |
June 2023 | 32.0 | |||
CVE-2023-31455 |
Insufficient input validation in the RTCP implementation allows a remote attacker to trigger a software abort resulting in a denial of service. CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Discussion: A crafted RTCP payload allows a remote attacker to trigger a software abort resulting in a denial of service. Mitigation: None Resolution: Upgrade to Pexip Infinity 31.2 |
High | High | June 2023 | All before 31.2 | 31.2 |
CVE-2023-31289 |
Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service. CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to v31.2 |
High | High | May 2023 | 1 through 31.1 | 31.2 |
CVE-2023-22809 |
The sudoedit command mishandles extra arguments, allowing a local attacker to append arbitrary entries to the list of files to process, leading to privilege escalation. CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Mitigation: The sole non-system user account ("admin") is explicitly given privileges to allow escalation via sudo. Therefore, this vulnerability is only relevant as a mechanism to potentially escalate privileges after exploiting some other vulnerability to gain access to the system as an unprivileged user. Resolution: Upgrade to Pexip Infinity v31.1 |
High | Medium | March 2023 | All before 31.0 | 31.1 |
CVE-2023-0286 |
A type confusion vulnerability in the OpenSSL cryptography library allows an attacker to read memory contents or cause a software abort when CRL checking is enabled. CVSS 3.1 base score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H) Mitigation: No software shipped as part of Pexip Infinity is configured to use CRLs (as Infinity uses OCSP instead), therefore this vulnerability is only relevant if unsupported configuration or software changes have been made. Resolution: Upgrade to Pexip Infinity v31.1 |
High |
None | March 2023 | All before 31.0 | 31.1 |
CVE-2023-0215 |
Resource mismanagement in the OpenSSL cryptography library allows an attacker to trigger a use after free when processing ASN.1 data leading to a software abort. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity v31.1 |
High |
None | March 2023 | All before 31.0 | 31.1 |
CVE-2022-40617 |
The strongSwan IPsec implementation allows remote attackers to cause a denial of service. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: Strongswan is configured to only permit tunnel establishment by other nodes in the deployment. Further, ISAKMP traffic is restricted by the firewall such that traffic from source addresses outside the deployment is rejected. Resolution: Upgrade to Pexip Infinity v31.1 |
High |
Medium | March 2023 | All before 31.0 | 31.1 |
CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity v31.1 |
High |
Medium | March 2023 | All before 31.0 | 31.1 |
CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: Components using this library enforce payload size limits before passing input data into libxml2. These size limits are significantly below that needed to be able to exploit this issue. Resolution: Upgrade to Pexip Infinity v31.1 |
High | None | March 2023 | All before 31.0 | 31.1 |
CVE-2022-2068 |
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection, potentially allowing an attacker to execute arbitrary commands with the privileges of the script. CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Mitigation: The c_rehash script is used during system upgrade when updating the built-in Certificate Authorities. The updated Certificate Authorities and script usage are part of the upgrade archive which is signed using keys known only to Pexip and thus ensures that the input data is trusted. Resolution: Upgrade to Pexip Infinity v31.1 |
Critical |
None | March 2023 | All before 31.0 | 31.1 |
CVE-2022-1941 |
A parsing vulnerability for the MessageSet type in the ProtocolBuffers implementation allows an attacker to cause a software abort. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: ProtocolBuffers are used when communicating with Google Meet. Other service types are not affected. Resolution: Upgrade to Pexip Infinity v31.1 |
High |
Low | March 2023 | 19.0-31.0 | 31.1 |
CVE-2022-1587 |
An out-of-bounds read vulnerability in the PCRE2 library allows an attacker to cause a software abort. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity v31.1 |
High |
Medium | March 2023 | All before 31.0 | 31.1 |
CVE-2022-1586 |
An out-of-bounds read vulnerability in the PCRE2 library allows an attacker to cause a software abort. CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity v31.1 |
High |
Medium | March 2023 | All before 31.0 | 31.1 |
CVE-2022-1292 |
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection, potentially allowing an attacker to execute arbitrary commands with the privileges of the script. CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Mitigation: The c_rehash script is used during system upgrade when updating the built-in Certificate Authorities. The updated Certificate Authorities and script usage are part of the upgrade archive which is signed using keys known only to Pexip and thus ensures that the input data is trusted. Resolution: Upgrade to Pexip Infinity v31.1 |
Critical | None | March 2023 | All before 31.0 | 31.1 |
Multiple |
Resolved minor issues: CVE-2022-43680, CVE-2022-43638, CVE-2022-42898, CVE-2022-42703, CVE-2022-42010, CVE-2022-41323, CVE-2022-40476, CVE-2022-39190, CVE-2022-39188, CVE-2022-38178, CVE-2022-38177, CVE-2022-36946, CVE-2022-36879, CVE-2022-36359, CVE-2022-35252, CVE-2022-34495, CVE-2022-34494, CVE-2022-32296, CVE-2022-32206, CVE-2022-32205, CVE-2022-32148, CVE-2022-28347, CVE-2022-28346, CVE-2022-27776, CVE-2022-27774, CVE-2022-26373, CVE-2022-22576, CVE-2022-20368, CVE-2022-4304, CVE-2022-3775, CVE-2022-3629, CVE-2022-3625, CVE-2022-3586, CVE-2022-3515, CVE-2022-3080, CVE-2022-3028, CVE-2022-2959, CVE-2022-2938, CVE-2022-2929, CVE-2022-2928, CVE-2022-2905, CVE-2022-2795, CVE-2022-2602, CVE-2022-2601, CVE-2022-2588, CVE-2022-2586, CVE-2022-2585, CVE-2022-1962, CVE-2022-1705, CVE-2022-1508, CVE-2022-1184, CVE-2021-46829, CVE-2021-46828, CVE-2021-33655, CVE-2021-29648, CVE-2021-26401, CVE-2021-4150, CVE-2021-4023, CVE-2021-3759, CVE-2021-3669 |
March 2023 | 31.1 |
Connect app
Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.
VMR self-service portal
Each bulletin addresses a number of vulnerabilities in the software used by the VMR self-service portal. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.