Kibana Safety Launch | Traefik Vulnerability

On this week’s digest, we’ll focus on:

  • a Kibana safety launch;
  • a vulnerability in Traefik managing TLS connections; and
  • a weak randomness in Webcrypto Keygen on NodeJS

Kibana Safety Launch

Sort Confusion: This system allocates or initializes a useful resource corresponding to a pointer, object, or variable utilizing one kind, however it later accesses that useful resource utilizing a sort that’s incompatible with the unique kind. – MITRE definition

CVSSv3.1: NIST – 8.8 (Excessive) | CVE ID: CVE-2022-1364

7.17.8, 8.5.0 Safety Replace: A sort confusion vulnerability was found within the headless Chromium browser that Kibana depends on for its reporting capabilities. This problem impacts solely on-premises Kibana cases on host working techniques the place the Chromium sandbox is disabled (solely CentOS, Debian). This problem doesn’t have an effect on Elastic Cloud, because the Chromium sandbox is enabled by default and can’t be disabled. This problem additionally doesn’t have an effect on Elastic Cloud Enterprise.

Kibana Security Release Mitigation Chart

Vulnerability in Traefik Managing TLS Connections


  • NIST – 6.6 (Medium)
  • CNA (Github) – 8.1 (Excessive)

CVE ID: CVE-2022-46153

Traefik is a contemporary HTTP reverse proxy and cargo balancer. It integrates together with your present infrastructure parts (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS) and configures itself routinely and dynamically. 

In affected variations, there’s a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is uncovered with an empty TLSOption. For example, a route secured utilizing an mTLS connection set with a fallacious CA file is uncovered with out verifying the shopper certificates. Customers are suggested to improve to model 2.9.6. 


Customers unable to improve ought to examine their logs to detect the next error messages and repair the TLS choices instantly:

Empty CA:

{"stage":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"[email protected]"}

Dangerous CA content material (or unhealthy path):

{"stage":"error","msg":"invalid certificates(s) content material","routerName":"[email protected]"}

Unknown Consumer Auth Sort:

{"stage":"error","msg":"unknown shopper auth kind "FooClientAuthType"","routerName":"[email protected]"}

Invalid cipherSuites: 

{"stage":"error","msg":"invalid CipherSuite: foobar","routerName":"[email protected]"}

Invalid curvePreferences:

{"stage":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"[email protected]"}

Weak Randomness in Webcrypto Keygen on NodeJS

CWE-338: Use of Cryptographically Weak Pseudo-Random Quantity Generator (PRNG). The product makes use of a Pseudo-Random Quantity Generator (PRNG) in a safety context, however the PRNG’s algorithm isn’t cryptographically sturdy.

CVSSv3.1: NIST – 9.1 (Important) | CVE ID: CVE-2022-35255

A vulnerability launched in NodeJS v15.0.0 was found by a contributor on HackerOne by which launched a name to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/ There are two issues with this:

  1. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). Nevertheless, it doesn’t examine the return worth and assumes the EntropySource() all the time succeeds, however it might probably and generally will fail.
  2. The random information returned byEntropySource() is probably not cryptographically sturdy and due to this fact not appropriate as keying materials.

General, this flaw permits a distant attacker to decrypt delicate data.


Related Articles


Please enter your comment!
Please enter your name here

Latest Articles