Information Security Advisories
Information on relevant CVEs and security issues for clients
November 2023
CVE-2023-23583 - INTEL-SA-00950 Update Advisory
| Item | Description |
|---|---|
| Description | In response to Intel’s Platform Update advisory INTEL-SA-00950 (CVE-2023-23583), CoreWeave Engineering has proactively updated our systems to address the identified vulnerabilities within the named Intel products. |
| Severity | 8.8 |
| Impact to CoreWeave Platform | No impact has been observed as of this posting. CoreWeave systems have been upgraded and operational prior to public disclosure. |
| Potentially Affected Clients | No client impact as remediation has occurred prior to public disclosure. (Note: Intel components are used within our services, however, our proactive updates have ensured no client impact.) |
| Actions Taken | Patching and Updates: Updates have been implemented for INTEL-SA-00950 (CVE-2023-23583), ensuring compatibility and system integrity. System Status: As of November 14th, 2023, CoreWeave in-scope systems have been upgraded and are operational. Recommended Client Actions: No action is required. This advisory is informational only, to assure you of CoreWeave's commitment to infrastructure security. |
CoreWeave's Vulnerability Management Team is closely monitoring the situation and is dedicated to providing timely updates if deemed necessary. If required, updates to this page will be posted.
December 2022
CVE-2022-42475
| Item | Description |
|---|---|
| Description | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. |
| Severity | 9.3 |
| Impact to CoreWeave Platform | Currently no known impact to CoreWeave Platform |
| Potentially Affected Clients | Clients using FortiOS |
| Recommended Actions | Vendor-recommended mitigations |
FortiGuard Labs has confirmed at least one instance of vulnerability CVE-2022-42475 being exploited in the wild. Given the high value (CVE critical severity rating 9.3) and relatively low complexity of this vulnerability, CoreWeave strongly recommends upgrading to an unaffected version of FortiOS on an accelerated patch schedule, according to vendor recommendations.
Vulnerability checks for CVE-2022-42475 are available from a variety of sources. Please use caution when running any script or application to ensure it is safe.
At this time there is no impact to CoreWeave's platform, however customers who have FortiOS running within their environment are advised to review the vendor-recommended mitigations, and take appropriate self measures to upgrade their deployments and evaluate their systems for any indicators of compromise. Our cyber security team is closely monitoring the situation, and will provide important updates should more information become available.