Adding Security Advisories and CVES section, and adding updates to v5.4 folder.

sunilarjun · sunilarjun · commit c9cada9fe767 · 2025-07-10T09:21:57.000-07:00
Signed-off-by: Sunil Singh &lt;sunil.singh@suse.com&gt;
diff --git a/docs/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md b/docs/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md
diff --git a/docs/16.security_advisories/16.security_advisories.md b/docs/16.security_advisories/16.security_advisories.md
@@ -0,0 +1,9 @@
+---
+title: UI Extension
+sidebar_label: 16. Security Advisories and CVEs
+taxonomy:
+    category: docs
+slug: /ui_extension
+---
+
+This section describes security advisories and CVEs for NeuVector.
diff --git a/versioned_docs/version-5.4/14.releasenotes/01.5x/01.5x.md b/versioned_docs/version-5.4/14.releasenotes/01.5x/01.5x.md
@@ -11,6 +11,51 @@ slug: /releasenotes/5x
 To receive email notifications of new releases, please subscribe to this SUSE mailing list: https://lists.suse.com/mailman/listinfo/neuvector-updates
 :::
 
+#### 5.4.5 July 2025
+
+##### New Features:
+
+* **NVSHAS-9776**: Add etcd toleration in helm chart.
+
+##### Bug Fixes:
+
+* **NVSHAS-9507**: OCI container not getting scanned.
+* **NVSHAS-9787**: Remove unnecessary manager log.
+* **NVSHAS-9788**: Refine algorithm for generating certificate.
+* **NVSHAS-9789**: Remove unnecessary manager log on remote registry configuration.
+* **NVSHAS-9867**: NeuVector shows `.NET Library System.Formats.Asn1 v8.013` affected CVE 2024-38095.
+* **NVSHAS-9883**: [quay.io]Wildcard filters not working for docker registry.
+* **NVSHAS-9911**: Scanning the repo using REST API results in an incorrect "message"
+* **NVSHAS-9930**: CVE-2018-20796 for `glibc/libc-bin : 2.36-9+deb12u10` - False positive.
+* **NVSHAS-9933**: Registry-adapter feature (Harbor) showing errors in target registry while scanning.
+* **NVSHAS-9934**: Suspected zero-drift functionality malfunction.
+* **NVSHAS-9940**: NV scan JFrog Subdomain mode issue.
+* **NVSHAS-9942**: Images scans for customer images are failing.
+* **NVSHAS-9945**: When the process name is too long, it's difficult to determine how to create the appropriate process profile rule.
+* **NVSHAS-9946**: Display issue with Admission Control alert for Credential Type.
+* **NVSHAS-9947**: [UI-ext] Compliance Chart Missing "Manual" Status in Rancher NeuVector.
+* **NVSHAS-9948**: After upgrading to `5.4.3` NeuVector configuration has been lost.
+* **NVSHAS-9949**: [Harbor][Incorrect user/pw] It still scan images even inputting incorrect user/pw.
+* **NVSHAS-9952**: Remove 'signature' from usage report because NV no longer issues/checks the license key.
+* **NVSHAS-9953**: Pods Enforcer keeps restarting.
+* **NVSHAS-9954**: NeuVector prometheus-exporter generating duplicated metrics.
+* **NVSHAS-9958**: Network rule enforcement takes long time.
+* **NVSHAS-9960**: Scanners not working.
+* **NVSHAS-9969**: fatal error: concurrent map writes results in enforcer component restart.
+* **NVSHAS-9971**: NV UI about `Get Bootstrap Password`.
+* **NVSHAS-9975**: [Manager] TypeError: `this.mousemoveListener` is not a function is observed on the NV GUI.
+* **NVSHAS-9986**: Process profile rules and File access rules cannot be edited and removed in Federated policy group view.
+* **NVSHAS-9988**: UI: Group pages is not showing all groups when more than 2k groups present.
+* **NVSHAS-9991**: The group `nv.gatekeeper-controller-manager.openshift-azure-guardrails` is missing from UI.
+* **NVSHAS-9993**: Replace md5 by sha256.
+* **NVSHAS-9994**: The enforcer pod keeps restarting.
+* **NVSHAS-9996**: NeuVector Helm chart should allow non-privileged mode of enforcer pods.
+* **NVSHAS-9998**: Cannot export group from Neuvector federated master.
+* **NVSHAS-10000**: Upgrade NV to BCI 15.7.
+* **NVSHAS-10003**: Reload page does not work on standalone NV page while a Rancher UI is opening.
+* **NVSHAS-10008**: Registry Scan - View menu is broken for Scanned Image.
+* **NVSHAS-10010**: TCP SYN Flood blocks ingress causing complete ingress traffic being blocked.
+
 #### 5.4.4 May 2025
 
 ##### New Features:
@@ -134,7 +179,7 @@ In the NeuVector 5.4.2 release, support is discontinued for deployments using th
 
 Please create and configure internal certificates from the scanner for the controller, enforcer, and registry-adapter to achieve a rolling update without losing data. It is still recommended to take a backup of your configuration before upgrading. 
 
-The following steps are only needed if your deployment uses a `.yaml` file. Upgrading using Helm does not need these additional steps due to the internal certificates getting created by default via the following flags: `internal.autoGenerateCert` and `internal.autoRotateCert`. 
+The following steps are only needed if your deployment uses a `.yaml` file. Upgrading using Helm does not need these additional steps due to the internal certificates getting created by default via the following flags: `internal.autoGenerateCert` and `internal.autoRotateCert`.
 
 ```shell
 docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/ca.cert" > ca.crt
diff --git a/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md b/versioned_docs/version-5.4/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md
@@ -0,0 +1,53 @@
+# Sensitive information exposure in NeuVector manager container logs
+
+**CVE ID:** CVE-2025-46808
+**CVSS Score:** 6.8- [AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N&version=3.1)
+**CWE:** [CWE-532: Insertion of Sensitive Information into Log File](https://cwe.mitre.org/data/definitions/532)
+
+**Affected Versions**
+
+* All versions earlier than `5.0.0`
+* Versions from `5.0.0` up to and including `5.4.4`
+
+**Fixed version: `5.4.5`** 
+
+### **Impact**
+
+A vulnerability has been identified in the NeuVector version up to and including `5.4.4`, where sensitive information is leaked into the manager container’s log. The listed fields can be caught in the log:
+
+| Field | Field Description | Where it Appears | Reproduction | Environment |
+| :---- | :---- | :---- | :---- | :---- |
+| `X-R-Sess` | Rancher’s session token for single sign on token | Request header | Log in via Rancher UI and access NeuVector SSO | Rancher with NeuVector SSO |
+| `personal_access_token` | The Github / Azure DevOps token | Request body | Submit remote repository config under *Configuration \> Settings* | NeuVector |
+| `token1.token` | NeuVector user’s session token | Response body | Send GET request through NeuVector web server’s API: `https://<neuvector ui’s url>/user?name=<username>` | NeuVector |
+| `rekor_public_key`, `root_cert`, `sct_public_key` | Rekor public key, Root certificate, Signed certificate timestamp(SCT) Public Key in private root of trust | Request body | Create/update private root of trust from Sigstore page | NeuVector |
+| public\_key | Verifier’s public key | Request body | Create/update verifier in Sigstore page | NeuVector |
+
+:::note
+**Note:** NeuVector installations not using the single sign-on integration with Rancher Manager, and does not have Remote Repository Configuration enabled, are not affected by this issue.
+:::
+
+In the patched version, X-R-Sess is partially masked so that users can confirm what it is being used while still keeping it safe for consumption. The log which includes `personal_access_token`, `token`, `rekor_public_key`, `root_cert`, `sct_public_key`, `public key` are removed, as the request body is not mandatory in the log.
+
+:::note
+* The severity of the vulnerability depends on your logging strategy.
+   * **Local logging (default)**: Limits exposure of impact.
+   * **External logging**: Vulnerability’s severity increases, the impact depends on security measures implemented at the external log collector level.
+* The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.
+
+Please consult the associated [Unsecured credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.
+
+### **Patches**
+
+Patched versions include release `5.4.5` and above. Users are advised to rotate the GitHub token used in Remote Repository Configuration once they have upgraded to a fixed version.
+
+### **Workarounds**
+
+No workarounds are currently available. Customers are advised to upgrade to a fixed version at their earliest convenience.
+
+If you have any questions or comments about this advisory:
+
+* Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
+* Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.
+* Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).
+
diff --git a/versioned_docs/version-5.4/16.security_advisories/16.security_advisories.md b/versioned_docs/version-5.4/16.security_advisories/16.security_advisories.md
@@ -0,0 +1,9 @@
+---
+title: UI Extension
+sidebar_label: 16. Security Advisories and CVEs
+taxonomy:
+    category: docs
+slug: /ui_extension
+---
+
+This section describes security advisories and CVEs for NeuVector.
