Pexip security bulletins
The following security bulletins are published by Pexip for issues affecting our own products — Pexip Infinity, the Pexip Connect apps, the VMR self-service portal, and Enhanced Room Management. There are currently no security bulletins for any other Pexip products, including the Reverse Proxy and TURN Server, Pexip Justice, or AIMS.
For information about external issues arising in third-party software and operating systems that may impact these Pexip products, see https://www.pexip.com/trust-center. Where relevant, updates will be incorporated into each Pexip product, so we recommend that you frequently check for and always run the latest versions of each product. If you have deployed Pexip's VMR self-service portal, Reverse Proxy and TURN Server, Pexip Justice or AIMS products, you should also ensure that the appliance's operating system is regularly patched against the latest security bugs.
More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.
Pexip Infinity
This list covers issues addressed in Pexip Infinity v33.0 and later. For issues addressed in v32.x or earlier, see our documentation for previous releases.
Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.
In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.
Reference | Description | Severity | Risk | Updated | Impacted versions | Addressed in version |
---|---|---|---|---|---|---|
CVE-2024-37917 |
Insufficient input validation in the signalling implementation(s) allows a remote attacker to trigger a software abort resulting in a denial of service. CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Discussion: A crafted signalling message allows a remote attacker to trigger a software abort. Mitigation: None Resolution: Upgrade to Pexip Infinity v35.0 |
High | High | July 2024 | All before 35.0 | 35.0 |
Multiple | Resolved minor issues: CVE-2021-22959, CVE-2021-22960, CVE-2021-44532, CVE-2021-44533, CVE-2022-0597, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-3523, CVE-2022-35256, CVE-2022-3567, CVE-2023-1637, CVE-2023-30588, CVE-2023-3161, CVE-2023-39326, CVE-2023-4459, CVE-2023-48795, CVE-2023-48795, CVE-2023-52435, CVE-2023-52458, CVE-2024-0450, CVE-2024-27086, CVE-2024-28102, CVE-2024-28219, CVE-2024-29992, CVE-2024-35255, CVE-2023-50387, CVE-2023-50868, CVE-2024-34397, CVE-2024-2961, CVE-2022-4864, CVE-2024-32487, CVE-2024-24806, CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2023-28405, CVE-2023-6597, CVE-2024-28085, CVE-2022-3566, CVE-2023-3640, CVE-2023-4387, CVE-2023-52452, CVE-2023-52476, CVE-2023-52492, CVE-2023-52498, CVE-2024-26589 | July 2024 | 35.0 | |||
CVE-2024-6387 |
A race condition was found in OpenSSH's server. If a client does not authenticate within 120 seconds then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code with root privileges. CVSS3.1 base score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Discussion: Exploitation of this vulnerability requires an attacker to sustain a large number of connection attempts for a long time (in the original report, which documents an attack on a 32bit architecture, up to 8 hours of attempts were required for a successful exploit). Pexip Infinity runs on a 64bit architecture where the attack is believed to be possible, but where the attack would have to be sustained for several days before success. From version 27, Pexip Infinity further limits connection attempts to a rate lower than that used in the documented attack. While this will not prevent a successful attack, it will slow an attacker down, thus increasing likelihood of detection as the attack would have to be sustained for longer before success is achieved. Mitigation: Ensure SSH access to Infinity nodes is restricted to trusted networks and/or disable SSH using the Management Web Interface. Resolution: Upgrade to Pexip Infinity v34.2 or later |
High | High | July 2024 | 26 ‑ 34.1 | 34.2 |
CVE-2024-33850 |
Incomplete access control checks for participants in the waiting room of a locked conference exposes conference information and may allow these participants to perform actions on the conference. CVSS3.1 base score: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) Discussion: When a conference is locked, participants attempting to join the meeting will be authenticated according to the configured conference access policy and then placed into a waiting room until explicitly admitted by an existing conference host participant. It is possible for participants in the waiting room to obtain the conference roster list and to perform actions on the conference according to the role they would possess after being admitted to the meeting. Mitigation: There is no mitigation available to prevent exposure of the conference roster list to waiting room participants. Minimise the actions available to a waiting room participant by ensuring that locked conferences have a Host PIN configured (or require strong authentication using Identify Providers) so that waiting room participants will only have Guest permissions. Resolution: Upgrade to Pexip Infinity v34.1 or later |
High | High | 4 ‑ 34.0 | 34.1 | |
CVE-2023-34058 |
VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges CVSS3.1 base score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Discussion: Exploitation of this vulnerability requires that the VMware administrator has issued SAML SSO credentials for a user to perform VM Guest Operations and to also have assigned one or more Guest Aliases to the Infinity virtual machines. Mitigation: Pexip neither recommends, nor supports, the assignment of Guest Aliases to Infinity virtual machines. Ensure that no Guest Aliases have been inadvertently assigned to Infinity virtual machines: https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html Resolution: Upgrade to Pexip Infinity v34.0 or later |
High | High | March 2024 | All before 34.0 | 34.0 |
Multiple | Resolved minor issues: CVE-2016-10744, CVE-2023-4911, CVE-2023-44487, CVE-2023-45284, CVE-2023-46218, CVE-2023-46219, CVE-2023-5363, CVE-2023-5678, CVE-2023-6237, CVE-2023-6780, CVE-2024-0727 | March 2024 | 34.0 | |||
Multiple |
Resolved minor issues: CVE-2020-36516, CVE-2021-32292, CVE-2022-20572, CVE-2022-3107, CVE-2022-3435, CVE-2022-3524, CVE-2022-3543, CVE-2022-3623, CVE-2022-3707, CVE-2022-4378, CVE-2022-48554, CVE-2023-0179, CVE-2023-0386, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-0465, CVE-2023-0466, CVE-2023-0590, CVE-2023-1095, CVE-2023-1206, CVE-2023-1249, CVE-2023-1252, CVE-2023-1255, CVE-2023-1998, CVE-2023-20588, CVE-2023-20900, CVE-2023-22998, CVE-2023-23006, CVE-2023-23931, CVE-2023-2650, CVE-2023-2975, CVE-2023-31130, CVE-2023-31248, CVE-2023-3138, CVE-2023-32233, CVE-2023-3390, CVE-2023-3446, CVE-2023-36053, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-38039, CVE-2023-3817, CVE-2023-38633, CVE-2023-39318, CVE-2023-39319, CVE-2023-4004, CVE-2023-40217, CVE-2023-4128, CVE-2023-4147, CVE-2023-4569, CVE-2023-4622, CVE-2023-4911 |
October 2023 | 33.0 |
Connect apps
Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.
VMR self-service portal
Each bulletin addresses a number of vulnerabilities in the software used by the VMR self-service portal. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.
Enhanced Room Management
Each bulletin addresses a number of vulnerabilities in the software used by ERM. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.