The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly

signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization (currently English and Architecture 13 13 API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components SQL Database Key/Value Image is pulled using digest • Perform vulnerability scanning – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 23 Content trust for image

summarised 6 fuzzers written and added to Istio's OSS-Fuzz integration 1 CVE found in Golang 1 vulnerability found that affected Googles managed Istio offering 11 issues found ● 5 system resource exhaustion affected Googleʼs managed Istio offering, and it led to further investigation that revealed a vulnerability in Golang itself. The finding was reported by the auditing team to the Istio maintainers, because connection, which could lead to a denial of service scenario if a large request was sent. This is a vulnerability, however, to be vulnerable, users would need the MultiplexHTTP option configured - used by some

the same Dapr building blocks. None of the issues were of critical or high severity. We found a vulnerability in a 3rd-party dependency which was assigned a CVE1 of high severity, however it did not impact is not enabled by default. The vulnerability had the potential to crash a Dapr sidecar with an out-of-memory denial of service attack vector. We found the vulnerability a�er performing the threat modelling example, if Dapr sends a request to a NodeJS application that triggers a remote code execution vulnerability in the NodeJS 10 Dapr security audit 2023 application3, this is entirely the responsibility

Technical White Paper Innovation Projects CVE Manager Infrastructure SIG | Security Committee Vulnerability management integrates processes, tools, and mechanisms of the openEuler community to detect, collect The vulnerability response process is available across the openEuler LTS and its branch versions. See the following flowchart. Vulnerability Handling Process Disclosure scope SC Vulnerability status vulnerabilities Patch development Patch test Restricted disclosure Release patch Release SA Describe vulnerability impact Apply for CVE Obtain CVE The openEuler SC encourages users to report the potential

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY1. Adversarial Scenarios 2. Vulnerability Trends 3. Exploits in the Wild 4. Strategies for Secure C++ DevelopmentWHOAMI 0x401006 Microsoft 0x40E04C Twitter # @malwareunicorn COMMUNITY 0x402023 JNE SIDE ACTIVITIESDay in the Life: Vulnerability Research ● Looking at code 75% ● Instrumenting fuzzing harnesses 5% ● Making POC when needed group CVE-2021-28310 CVE-2021-1732 • Used for privilege escalation • Out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe) • Attacker grooms the heap

Documentation, Release 6.5.1 5.22 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.23 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.29 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.21 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.22 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.28 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

@kevin-bates • @virejdasani 5.15 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.16 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.22 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a

Documentation, Release 6.4.11 5.16 6.1.5 6.1.5 is a security release, fixing one vulnerability: • Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) 5.17 6.1.4 • Fix broken links to McDonald • Tres DuBiel 5.23 6.0.2 • Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358) • Update CodeMirror to version 5.48.4 to fix Python formatting issues • Continue previous minor releases of Jupyter Notebook and also included in version 6.0. • Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a