Advisories for Golang/Github.com/Neuvector/Neuvector package

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, java -cp /app … Djavax.net.ssl.trustStorePassword=<Password> The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands: (?i)(password|passwd|token) Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example: …

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2 algorithm to create the hash value for the following actions: Creating a user Updating a user’s password Creating an API key Note: After upgrading to NeuVector 5.4.6, …

A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs. In earlier versions, NeuVector …

A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.