September 2023 Security Advisories
Here's a list of the security advisories for 2023.
Authenticated RCE due to unsafe JSON deserialization
Unsafe deserialization of untrusted JSON allows execution of arbitrary code on affected releases of the Illumio PCE. Authentication to the API is required to exploit this vulnerability. The flaw exists within the network_traffic API endpoint. An attacker can leverage this vulnerability to execute code in the context of the PCE’s operating system user.
Severity
Critical: CVSS score is 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below.
Affected Products | Affected Versions | Fixed Version |
|---|---|---|
Illumio Core PCE | <= 19.3.6 | >= 19.3.7 |
<= 21.2.7 | >= 21.2.8 | |
<= 21.5.35 | >= 21.5.36 | |
<= 22.2.41 | >= 22.2.42 | |
<= 22.5.30 | >= 22.5.31 | |
<= 23.2.10 | >= 23.2.11 |
Resolution
Upgrade to the latest release for a given major version.
References
Skipped Critical Patch Updates
Illumio strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Discovered By
External Security Firm
Frequently Asked Questions
What software components are affected?
Only the Illumio PCE is impacted by this vulnerability.
What products did this affect?
This vulnerability impacts the PCE, including Core on-premises deployments, Core SaaS, Endpoint, MSP, and Edge.
Is Core SaaS affected?
SaaS PCE clusters were impacted. Those environments have been patched.
I’m using Cloud. Am I impacted?
The Cloud platform is not affected.
How can I tell if this vulnerability was used against my on-premises PCE?
Illumio is creating queries that can be used by customers to detect known vectors for exploitation of this vulnerability. Please contact Illumio Support or your account team for assistance. If you suspect this vulnerability was used within your environment, please reach out to Illumio Support.
Has Illumio investigated if this vulnerability was used on any SaaS PCEs?
Illumio is currently investigating all available data from the production SaaS environment and has so far found no indications that the issue has been exploited.
I can’t apply the patch immediately. How can I mitigate the issue in the meantime?
This vulnerability requires SAML to be enabled on the customer's PCE in order to be exploited. Customers who cannot patch their PCEs immediately, and who wish to mitigate this issue, can choose to disable SAML authentication on the PCE.
Reference
For details, see the topic Authentication in the PCE Administration Guide.
Additionally, customers can: Enable IP restrictions to limit access to only trusted source IPs (for example, for privileged accounts). For details, see the topic Configure Access Restrictions and Trusted Proxy IPs in the PCE Administration Guide.
How long will the upgrade take?
The fix will be provided in a normal code release so this will take the same amount of time as any PCE upgrade.
Were any Illumio customers impacted by this vulnerability?
Illumio is not aware of any exploitation of this vulnerability on any customer environments.