The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly

signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization (currently English and Architecture 13 13 API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 23 Content trust for image

– RBAC: admin, developer, guest – AD/LDAP integration • Policy based image replication • Vulnerability Scanning • Notary • Web UI • Audit and logs • Restful API for integration • Lightweight and Replication Job Services Notary client Remote Harbor Instance Notary Registry V2 Vulnerability Scanning Admin Service Harbor users and partners (selected) 12 Image replication (synchronization) Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 21 Content trust for image

summarised 6 fuzzers written and added to Istio's OSS-Fuzz integration 1 CVE found in Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion affected Googleʼs managed Istio offering, and it led to further investigation that revealed a vulnerability in Golang itself. The finding was reported by the auditing team to the Istio maintainers, because connection, which could lead to a denial of service scenario if a large request was sent. This is a vulnerability, however, to be vulnerable, users would need the MultiplexHTTP option configured - used by some

the same Dapr building blocks. None of the issues were of critical or high severity. We found a vulnerability in a 3rd-party dependency which was assigned a CVE1 of high severity, however it did not impact is not enabled by default. The vulnerability had the potential to crash a Dapr sidecar with an out-of-memory denial of service attack vector. We found the vulnerability a�er performing the threat modelling example, if Dapr sends a request to a NodeJS application that triggers a remote code execution vulnerability in the NodeJS 10 Dapr security audit 2023 application3, this is entirely the responsibility

Technical White Paper Innovation Projects CVE Manager Infrastructure SIG | Security Committee Vulnerability management integrates processes, tools, and mechanisms of the openEuler community to detect, collect The vulnerability response process is available across the openEuler LTS and its branch versions. See the following flowchart. Vulnerability Handling Process Disclosure scope SC Vulnerability status vulnerabilities Patch development Patch test Restricted disclosure Release patch Release SA Describe vulnerability impact Apply for CVE Obtain CVE The openEuler SC encourages users to report the potential

段夕华：不知道 21 年底所爆发的 log4j 漏洞，是否会让公司购买开源产品更加保守谨 慎？开源安全任重而道远。 Duan Xihua: I wonder if the log4j vulnerability in late 2021 will make companies more conservative and cautious in buying open source products of the top 10 seats. 2.8 开源安全与合规 Open Source Security and Compliance 2.8.1 CVE 漏洞风险 CVE Vulnerability Risks Gitee 采用棱镜七彩 FossEye 静态扫描了 1.5 万 个 Gitee 平台上具有代表性的优质推荐开 源项目仓库，结果显示有超过 93% 不存在 CVE 漏洞风险。 51%，存在超 过 10 个 CVE 漏洞的占比 2.58%。 Of the projects with CVE vulnerabilities, 18.51% have one CVE vulnerability, and 2.58% have more than 10 CVE vulnerabilities. 2.8.3 开源合规情况 Open Source Compliance

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1. Adversarial Scenarios 2. Vulnerability Trends 3. Exploits in the Wild 4. Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40E04C Twitter # @malwareunicorn COMMUNITY 0x402023 JNE SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed group CVE-2021-28310 CVE-2021-1732 • Used for privilege escalation • Out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe) • Attacker grooms the heap

Documentation, Release 6.5.1 5.22 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.23 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.29 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.21 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.22 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.28 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a