Product Alert - Certifi and urllib3 vulnerabilities

This article describes how to mitigate the disclosed Certifi and urllib3 third-party library vulnerabilities:

• Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. (CVE-2023-37920).
• Any version prior to 1.23 of urllib3  does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext (CVE-2018-20060).

MarkLogic Server clusters deployed on AWS using the MarkLogic CloudFormation template, and the MarkLogic Data Hub Service, package the Certifi and urllib3 third-party libraries into lambda code deployed as part of the infrastructure setup to run MarkLogic on AWS Cloud. These libraries are not directly used in the lambda code, and there is no direct impact on the MarkLogic product functionality.

What are the symptoms observed and impact on MarkLogic clusters on AWS cloud?

There are no known impacts on MarkLogic functionality due to the vulnerabilities.

Certifi Vulnerability: MarkLogic products do not use "e-Tugra" from the root store. Instead, the boto3 library (AWS DSK for Python) is used for AWS calls.
Urllib3 Vulnerability: MarkLogic products  use the boto3 library (AWS SDK for Python) for AWS calls.

While Progress MarkLogic products do not directly invoke the Certifi and urllib3 third-party libraries in their lambda code, the libraries are packaged with a lambda zip file for internal dependencies. This lambda function stays in the AWS account where clusters are deployed and is only invoked via the AWS Cloud Formation Template, which sets up the infrastructure and not by any other resources. It is not directly accessible or exposed to the Internet.

Versions Affected: 

• MarkLogic CloudFormation template versions: 10.0-6.6, 10.0-7.4, 10.0-8.3, 10.0-8.5, 10.0-9, 10.0-9.1, 10.0-9.2, 10.0-9.4, 10.0-9.5, 10.0-9.7, 10.0-10, 10.0-10.1, 10.0-10.2, 11.0.0, 11.0.2, 11.0.3, 11.1.0, 11.2.0, 11.3.0
• MarkLogic Data Hub Service versions: 2.11, 3.0, 3.1, 3.2, 3.3

 
NOTE: If you have any questions or concerns related to this issue, please log in to open a new Technical Support case. Technical Support is available to Progress MarkLogic customers under warranty and active maintenance. If your version is no longer supported as part of the Progress MarkLogic Lifecycle Policy, you should upgrade to a supported and fixed version. 
 
Issues 

CVE-2023-37920 > CWE-345 (Insufficient Verification of Data Authenticity)

CVE-2018-20060 > (CVE-2018-20060)
 

What action do I need to take? 

 
Solution:

We have addressed the vulnerability and the Progress MarkLogic team strongly recommends using the latest MarkLogic CloudFormation template versions listed in the table below when creating new MarkLogic Server cluster deployments on AWS and applying patches to the dependencies package on already deployed MarkLogic Server clusters. 

Customers Looking to Create New MarkLogic Server Cluster Deployments on AWS Cloud

We recommend using the new versions of the MarkLogic CloudFormation template, available for download from the public GitHub repository. You can get the latest template for MarkLogic Server versions 11.0 - 11.3 from the 11.0-master and for MarkLogic Server versions 10.0 - 10.0-11 from the 10.0-master branches, respectively.

The new MarkLogic CloudFormation templates can also be downloaded from the MarkLogic developer website.

Customers Who Prefer to Patch Their Existing MarkLogic CloudFormation Templates for New Cluster Deployments  

In this scenario, we recommend replacing the template’s lambda package with the patched version. Download the new lambda package (managed_eni.zip) from the release notes on GitHub for the latest MarkLogic CloudFormation template versions(Version 10.0-11.0.1 and version 11.3.0.1). Upload the Zip file to the S3 bucket in your AWS account, where MarkLogic deployments will be created, and pass in the values to these two parameters below:

S3Bucket: !Join [ "", [!FindInMap [Variable,"LambdaPackageBucket","base"], !Ref 'AWS::Region']]

S3Directory: !FindInMap [Variable,"S3Directory","base"]

Note: The above two references are the section of main template that needs to be replaced (mlcluster-vpc.template or mlcluster.template)

Customers with Existing MarkLogic Server Cluster Deployments

The latest version of the lambda package (managed_eni.zip) is fully compatible with previous CloudFormation template versions and available for download in the release notes on GitHub for the latest CloudFormation template versions (Version 10.0-11.0.1 and version 11.3.0.1). Customers can download the zip file from GitHub or open a support ticket to receive the package directly.

Once you have downloaded the zip file, please follow the steps outlined below for each MarkLogic Server cluster:

1. Navigate to the AWS CloudFormation service and identify the Stack/Cluster that needs to be patched. Note the Stack name.
2. Navigate to the AWS Lambda service and search for the Stack name detailed in step 1 and look for “ManagedEniFunction” in the list of functions that appear.
3. Upload the new zip file to that lambda function to replace the existing code.

NOTE: Updates to existing MarkLogic Server cluster deployments with the new managed_eni.zip package are recommended only if customers use the ManagedEniFunction lambda code shipped with the MarkLogic CloudFormation templates. If the lambda package code has been modified, customers are advised to build their own lambda package using the latest dependency versions patched against the vulnerabilities and upload the package to lambda function accordingly.

PLEASE NOTE: There is no downtime required while uploading the managed_eni.zip file to the lambda function ManagedEniFunction as long as its respective CloudFormation stack is updated in progress state.  Please use the zip file provided in the latest release notes of the Cloud Formation template to patch your environment.

Customers of MarkLogic Data Hub Service

The MarkLogicData Hub Service has already been patched and is no longer vulnerable to this exploit. No further action is needed.