On October 04, 2024, Redis disclosed multiple vulnerabilities regarding the Redis In-Memory Database. As per the available information, the following are the vulnerability details:

The most severe of these vulnerabilities is CVE-2024-31449, which is classified as a High severity and has a CVSS score of 8.8. It could allow remote attackers to execute arbitrary code on affected systems.

Impacted IONOS Cloud Products

Risk on IONOS Cloud user environment

Although the design of our database product did not allow the remote users to exploit the vulnerability, IONOS has rolled out the patched versions. As of now, there is no known exploit for these reported vulnerabilities.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud has already rolled out the patched versions for the reported vulnerabilities.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

On September 26, 2024, a security researcher identified multiple vulnerabilities in the Linux Common Unix Printing System (CUPS). The following are the vulnerabilities found in OpenPinting CUPS:

The most severe of these vulnerabilities is CVE-2024-47177, which is classified as a Critical severity and has a CVSS score of 9.0.

To exploit this vulnerability, the following conditions must be met:

1. The Linus CUPS-browsed service is manually enabled.

2. An attacker has access to a vulnerable server, which allows unrestricted access, such as to the public internet, or gains access to an internal network where the local connections are trusted.

3. The attacker advertises a malicious Internet Printing Protocol (IPP) server, providing a malicious printer.

4. A potential victim attempts to print from a malicious device.

5. An attacker executes arbitrary code on the victim’s machine.

Impacted IONOS Cloud Products

Linux CUPS vulnerabilities do not impact any of the IONOS Cloud products.

What action has IONOS Cloud taken to mitigate the severity?

This vulnerability does not impact IONOS Cloud products. Hence, no action is needed.

What action can you take to mitigate the vulnerability?

Users should review their use of Linux CUPS and, if enabled, follow the vendor-specific guidance to patch the environment.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Arbitrary command execution through gitRepo volume

On November 20, 2024, the Kubernetes Security Response Committee disclosed a vulnerability that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary.

The Kubernetes Security Response Committee assigned this vulnerability the CVE ID CVE-2024-10220 and classified it as High severity with a CVSS score of 8.1.

Impacted IONOS Cloud Products

Risk on IONOS Cloud environment

IONOS Cloud infrastructure and services do not utilize the vulnerable versions of Managed Kubernetes, so they are not impacted.

What action can you take to mitigate the vulnerability?

If you use affected Managed Kubernetes versions, upgrading your clusters to one of the following fixed versions is recommended:

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

A security researcher discovered a security issue in Kubernetes where an unauthorized user may be able to SSH to a node VM, which uses a VM image built with the Kubernetes project. The vulnerable images contain a pre-configured user with a weak default password, which can be accessed via SSH. The user can then use "sudo" to escalate privileges to root.

The following are the vulnerabilities found in Kubernetes Image Builder:

The most severe of these vulnerabilities is , which is classified as Critical severity with a CVSS score of 9.8.

Impacted IONOS Cloud Products

Risk on IONOS Cloud user environment

The IONOS-provided managed Kubernetes environment is not based on Proxmox Image Builder, so CVE-2024-9486 does not impact our infrastructure and user environments. However, some parts of our infrastructure use QEMU to build clusters and are impacted by CVE-2024-9594. Even though CVE-2024-9594 is rated as medium, we consider this issue very low severity as we already have the required mitigation to prevent the mentioned attack vector on our infrastructure. At the moment, no active exploitation of these vulnerabilities is known.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud will apply the patch to the affected products and services soon. We will update the patching status once the process is complete.

What action can you take to mitigate the vulnerability?

IONOS Cloud owns the patching responsibility, and no action is required from the user.

How can I get help?

On October 18, 2024, Grafana Labs disclosed a vulnerability introduced in Grafana 11 that may allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.

This vulnerability is assigned the CVE ID and classified as Critical severity with a CVSS score of 9.9. For more information about the technical details of the vulnerability, refer to Grafana's .

Impacted IONOS Cloud Products

Risk on IONOS Cloud environment

IONOS Cloud infrastructure and services do not utilize the vulnerable version of Grafana, so they are not impacted.

What action can you take to mitigate the vulnerability?

If you are using custom images, we advise you to refer to the information provided by the Operating System (OS) vendor to address any concerns from this reported issue.

How can I get help?

If you have further questions or concerns about this vulnerability, contact .

The Vulnerability Register reports security vulnerabilities affecting IONOS Cloud products and services. The information provided is part of an ongoing effort to help you manage security risks and protect your systems.

We highly recommend using the public vulnerability database as an invaluable resource for your security efforts. The NIST public vulnerability database provides comprehensive information on known vulnerabilities, including detailed descriptions, severity ratings, and mitigation strategies.

For third-party dependant assets and services provided by IONOS Cloud, we recommend that you closely monitor the below external resources for the latest security-related information.

To stay informed about the latest security vulnerabilities affecting various software, operating systems, and network components, regularly monitoring and referencing the above resources are crucial. By doing so, you can proactively assess and address potential security risks within your infrastructure.

Fluent Bit Memory Corruption Vulnerability

On May 20, 2024, Tenable Research published information about a memory corruption vulnerability in Fluent Bit that may result in a denial of service, information disclosure, or remote code execution. For more information, refer to the Tenable Research Advisory.

The CVE ID CVE-2024-4323 is assigned to this vulnerability and classified as a Critical severity with a CVSS score of 9.8 by Tenable Research. For further technical details about the vulnerability, refer to Fluent Bit's official advisory.

Impacted IONOS Cloud products

IONOS Cloud infrastructure and services do not utilize the vulnerable software and are not impacted.

What action can you take to mitigate the vulnerability?

Users using Fluent Bit versions 2.0.7 through 3.0.3 in their Virtual Data Centers (VDCs) are vulnerable and must update their software to 2.2.3 or 3.0.4.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Backdoor in XZ Utils

On March 29, 2024, the Openwall oss-security mailing list published information about a backdoor in the compression utility/library xz/liblzma. This backdoor affects sshd in some rolling and testing Linux distributions. The CVE ID CVE-2024-3094 is assigned to this vulnerability and has a Critical severity with Common Vulnerability Scoring System (CVSS) of 10 score.

For more information, refer to the official Red Hat Blog.

Impacted IONOS Cloud products

IONOS Cloud infrastructure and services do not utilize the vulnerable software, so they are not impacted.

What action can you take to mitigate the vulnerability?

If you are using custom images, we advise you to refer to the information provided by the Operating System (OS) vendor to address any concerns from this reported issue.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Remote Code Execution (RCE) in OpenSSH

On July 01, 2024, OpenSSH disclosed a vulnerability in Portable OpenSSH versions between 8.5 and 9.7 that may allow arbitrary code execution with root privileges in default configurations. The vulnerability is named regreSSHion.

The CVE ID CVE-2024-6387 is assigned to this vulnerability and classified as Critical severity with a CVSS score of 8.1. For more information about the technical details of the vulnerability, refer to the official advisory.

Impacted IONOS Cloud products

Risk on IONOS Cloud user environment

We do not see any sign of active exploitation of this vulnerability in our infrastructure or user environment. Cloud-provided compute engines already use the patched version of OpenSSH, so there is no risk to the cloud user environment.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud has already started the patching process for the affected products and services. The patching status is complete for Compute Engine, is ongoing for Managed Kubernetes, and will be updated once completed.

What action can you take to mitigate the vulnerability?

Users using compute engines with affected distribution should patch as per the vendor security guidelines. No action is required from the users using the Managed Kubernetes environment.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

On April 29, 2024, Acronis disclosed multiple vulnerabilities in Cyber Protect Agent. As per the advisory published by Acronis, the following are the vulnerability details:

The most severe of these vulnerabilities is CVE-2024-34010 and is classified as a High severity with CVSS score of 8.2. The attack vectors related to these vulnerabilities are still not known.

Impacted IONOS Cloud Products

What action has IONOS Cloud taken to mitigate the severity?

There are no signs of active exploitation resulting from these vulnerabilities. These vulnerabilities do not allow unauthorized access to IONOS Cloud users’ backup data. IONOS Cloud is already in the process of rolling out patched agents for Storage & Backup users.

What action can you take to mitigate the vulnerability?

You can enable auto-update; the vulnerable agent is automatically updated after May 6, 2024. You can download the non-vulnerable agent from the Downloads section in the Backup Unit Management console if the auto-update is not enabled.

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

References

Acronis Advisory Database

Container Escape via runc

On January 31, 2024, cybersecurity company Snyk disclosed a vulnerability in all versions of runc, up to and including 1.1.11, which is utilized by the Docker engine and other containerization technologies like Kubernetes.

The runc application is used for spawning and running containers on Linux. The vulnerability enables containerized escape for attackers that execute a malicious image or build an image using a malicious Dockerfile or an upstream image.

The CVE ID CVE-2024-21626 is assigned to this vulnerability and has a High severity with Common Vulnerability Scoring System (CVSS) of 8.6 score. For more information about the technical details of the vulnerability, see the official runc advisory and the analysis by Snyk.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We own the patching responsibilities and have already completed patching to update runc version 1.1.12.

What action can you take to mitigate the vulnerability?

As a best practice, ensure that Docker images use trusted and verified sources. No patching is required from your end.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Escalation of privilege for some Intel processors

On November 14th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as Redundant REX Prefix, may allow an attacker to confuse the system, resulting in unpredictable behavior. If an attacker successfully exploits this vulnerability, they could crash or hang the target system and, in some scenarios, allow an escalation of privilege, which may allow an attacker to obtain sensitive information from the system. This vulnerability is assigned CVE ID CVE-2023-23583 and has been given a high severity of 8.8 score by Intel.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We have already completed the required steps to mitigate this vulnerability by upgrading the affected systems' firmware. IONOS Cloud owns the patching responsibility, and no action is required from the customer.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

VMware vCenter Server out-of-bounds write vulnerability

On October 25, 2023, VMWare disclosed a vulnerability in its vCenter Server Security Issues. This vulnerability enables a malicious actor with network access to a vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution. The CVE ID CVE-2023-34048 is assigned to this vulnerability and has a Critical severity with Common Vulnerability Scoring System (CVSS) of 9.8 score.

Impacted IONOS Cloud products

Risk on IONOS Cloud user environment

IONOS Cloud customers access their Private Cloud’s vCenter server via an IONOS-provided dedicated Virtual Private Network (VPN). Every Private Cloud customer has a dedicated VPN, and another customer of IONOS cannot access the vCenter Server instance of another. This reduces the attack surface from external entities. Therefore, we consider this issue to be Medium for our customer environment as the reachability of the attack is not public but restricted.

We do not see any active sign of exploitation of this vulnerability, and no public exploit is known yet.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud provides VServer over a secure virtual private network, which mitigates the risk of exploitation from external entities. We have already initiated the steps to remediate the vulnerability by upgrading the VMWare vCenter version. IONOS Cloud owns the patching responsibility, and there is no action required from the customer.

IONOS Cloud will start to update all VMware vCenter servers on November 6, 2023.

What is the customer impact during the upgrade?

During the upgrade, you can restrict access to vCenter for up to 1 hour.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Sensitive information disclosure due to speculative side-channel attack

On August 8th, 2023, Advanced Micro Devices (AMD) disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as the Return Form Procedure (RET) Speculation or Inception, may allow an attacker to obtain sensitive information from a system.

If an attacker can exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts such as other or even the host device.

The CVE ID is assigned to this vulnerability and classified as a medium severity by AMD.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.

We will provide necessary updates as we learn more.

How can I get help?

If you have further questions or concerns about this vulnerability, contact .

Information disclosure in Intel processors

On August 8th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as "Gather Data Sampling (GDS)" or "Downfall", may allow an attacker to obtain sensitive information from a system. This vulnerability is assigned CVE ID as and has been given a medium severity by Intel.

What is the vulnerability?

CVE-2022-40982 is a transient execution side-channel vulnerability that affects Intel® Core processors from the 6th Generation (Skylake) to the 11th Generation (Tiger Lake). It allows an attacker with local access to infer stale data from previously used vector registers on the same physical core. A detailed description can be found in the .

What is the risk?

If an attacker is able to exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts (i.e., other virtual machines or even the host device).

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.

We will provide necessary updates as we learn more.

How can I get help?

Sensitive information disclosure and manipulation due to missing authorization

On October 9, 2023, Acronis disclosed a vulnerability in its Acronis Agent for Linux, Mac, and Windows. This vulnerability may allow an unauthorized attacker to view and manipulate antivirus and antimalware protection plans applied to a specific agent. CVE-2023-45247 ID has been assigned to this vulnerability and classified as having high severity.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS and Acronis are in constant communication to gain a deeper understanding of this vulnerability and also ensure that:

• There are no signs of active exploitation resulting from the vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.

• The vulnerability does not allow unauthorized access to IONOS Cloud customers’ backup data. IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Local privilege escalation due to DLL hijacking

On October 9, 2023, Acronis disclosed another vulnerability in its Acronis Agent for Windows. The vulnerability can be fixed by upgrading to build version 36497.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

The IONOS Cloud team constantly communicates with Acronis and will soon allow customers to download the patched Windows agent. Acronis has ensured no active sign of exploitation, and IONOS Cloud customer backups do not have an impact due to this vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.

IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.