diff --git a/docs/.vuepress/config.ts b/docs/.vuepress/config.ts index 13a41f13d..b28f19c49 100644 --- a/docs/.vuepress/config.ts +++ b/docs/.vuepress/config.ts @@ -130,7 +130,6 @@ export default defineUserConfig({ '/manual/command-line-tools/index.html' : '/rd-cli/index.html', '/manual/command-line-tools/rd.html' : '/rd-cli/index.html', '/manual/command-line-tools/rd-acl.html' : '/rd-cli/rd-ext-acl.html', - '/history/cves/' : '/history/CVEs/', '/introduction/introduction.html' : '/about/introduction.html', '/administration/architecture-and-deployment/system-architecture.html' : '/about/enterprise/index.html', '/administration/architecture-and-deployment/aws.html' : '/administration/install/aws.html', diff --git a/docs/history/cves/cve-2016-1000027.md b/docs/history/cves/cve-2016-1000027.md index 06d1533db..0690cfeae 100644 --- a/docs/history/cves/cve-2016-1000027.md +++ b/docs/history/cves/cve-2016-1000027.md @@ -1,5 +1,5 @@ --- -order: 800 +order: 1800 --- # CVE-2016-1000027 diff --git a/docs/history/cves/cve-2020-0187.md b/docs/history/cves/cve-2020-0187.md new file mode 100644 index 000000000..3607aa8f4 --- /dev/null +++ b/docs/history/cves/cve-2020-0187.md @@ -0,0 +1,12 @@ +--- +order: 1300 +--- + + +# CVE-2020-0187 + +::: danger FALSE POSITIVE + Rundeck and Runbook Automation are not vulnerable to this CVE. +::: + +This finding is only vulnerable on Android 10. It does not apply to Rundeck or Runbook Automation products. \ No newline at end of file diff --git a/docs/history/CVEs/cve-2023-39017.md b/docs/history/cves/cve-2023-39017.md similarity index 98% rename from docs/history/CVEs/cve-2023-39017.md rename to docs/history/cves/cve-2023-39017.md index ac2aae614..5bb968d14 100644 --- a/docs/history/CVEs/cve-2023-39017.md +++ b/docs/history/cves/cve-2023-39017.md @@ -1,5 +1,5 @@ --- -order: 1300 +order: 350 --- # CVE-2023-39017 diff --git a/docs/history/cves/cve-2024-24786.md b/docs/history/cves/cve-2024-24786.md new file mode 100644 index 000000000..eb3ef58e0 --- /dev/null +++ b/docs/history/cves/cve-2024-24786.md @@ -0,0 +1,15 @@ +--- +order: 90 +--- + +# CVE-2024-24786 + +## Remco / Google Protobuf vulnerability + +::: danger FALSE POSITIVE + Rundeck and Runbook Automation are not vulnerable to this CVE. +::: + +The vulnerability exists in all versions of google.golang.org/protobuf before 1.33.0 and it is used by Remco (not used directly by Rundeck). Currently, the Rundeck and Runbook Automation Dockerfile that builds Remco uses a specific commit uses the protobuf version 1.32.0. At the time of this writing there is no update to the Remco build to use the latest the protobuf library. + +Protobuf is used by Remco when configured to receive config values from other backends like redis, or secrets from vault. Rundeck and Runbook Automation products do not use those modes as part of Remco, and therefore would not be vulnerable to this finding. \ No newline at end of file diff --git a/docs/history/cves/cve-2024-38807.md b/docs/history/cves/cve-2024-38807.md new file mode 100644 index 000000000..359f3e39d --- /dev/null +++ b/docs/history/cves/cve-2024-38807.md @@ -0,0 +1,17 @@ +--- +order: 80 +--- + +# CVE-2024-33807 + +## Spring Boot Loader Vulnerability + +::: danger FALSE POSITIVE + Rundeck and Runbook Automation are not vulnerable to this CVE. +::: + +The vulnerability exists in Spring Boot Loader 2.7.0 to 2.7.21 and it was fixed on 2.7.22. + +Rundeck uses Spring Boot 2.7.18 that is part of the Grails 6.1 version and it would require an update on Grails Framework. This update is currently not scheduled until 2025 sometime. + +The vulnerability exists when `custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.` This is not used in Rundeck or Runbook Automation products and they are not vulnerable to this finding. \ No newline at end of file diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md index 5bf412ee1..8ab3bff55 100644 --- a/docs/history/cves/index.md +++ b/docs/history/cves/index.md @@ -1,5 +1,5 @@ --- -order: 100 +order: 10 --- # Security Notices @@ -34,8 +34,11 @@ These are the Security Advisories Rundeck has issued in the past. It is always ## Additional CVE Notes * Log4j / Log4Shell will flag a false positive vulnerability related to our JIRA plugins. [More Details on this page](log4j.md) +* [CVE-2016-1000027 Spring Unsafe Java deserialization](cve-2016-1000027.md). +* [CVE-2020-0187 Android 10 Finding](cve-2020-0187.md). * [CVE-2022-45868 H2 DB false positive](cve-2022-45868.md). * [CVE-2022-1471 SnakeYAML false positive](cve-2022-1471.md). * [CVE-2024-1597 Postgres JDBC Driver Vulnerability](cve-2024-1597.md). -* [CVE-2016-1000027 Spring Unsafe Java deserialization](cve-2016-1000027.md). * [CVE-2023-39017 Quartz Scheduler false positive](cve-2023-39017.md). +* [CVE-2024-24786 Protobuf finding in Remco](cve-2024-38807.md). +* [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md). \ No newline at end of file diff --git a/docs/history/CVEs/log4j.md b/docs/history/cves/log4j.md similarity index 99% rename from docs/history/CVEs/log4j.md rename to docs/history/cves/log4j.md index 4af666586..7cf2db836 100644 --- a/docs/history/CVEs/log4j.md +++ b/docs/history/cves/log4j.md @@ -1,5 +1,5 @@ --- -order: 1500 +order: 2000 --- # Log4Shell / Log4j Security