Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex.Cloud overview
  • Yandex.Cloud services
  • Mobile app
    • Overview
    • For Android
    • For iOS
  • Equivalent services on other platforms
    • Overview
    • Equivalents for Amazon Web Services
    • Equivalents for Google Cloud Platform
    • Equivalents for Microsoft Azure
  • Availability zones
  • Getting started
  • Release stages
  • Quotas and limits
  • API
  • Security and compliance
    • Overview
    • Platform architecture
    • Key security principles
    • Division of responsibility
    • Security measures on the Yandex.Cloud side
    • Compliance
    • Security tools available to cloud service users
    • Security bulletins
    • Rules for performing external security scans
  • Deleting user data
  • SLA
  • Questions and answers
  1. Security and compliance
  2. Security bulletins

Security bulletins

  • 24.12.2020 — CVE-2020-25695 - privilege escalation in PostgreSQL
    • Description
    • Impact on Yandex.Cloud services
  • 19.11.2020: Deprecation of outdated TLS protocols
    • Description
    • Impact on Yandex.Cloud services
  • 20.09.2020: CVE-2020-1472 (aka Zerologon)
    • Description
    • Impact on Yandex.Cloud services
    • Mitigation Techniques
  • 15.06.2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)
    • Description
    • Impact on Yandex.Cloud services
  • 28.08.2019: TCP SACK
    • Description
    • Impact on Yandex.Cloud services
  • 19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List
    • Description
    • Impact on Yandex.Cloud services

This page lists security recommendations given by Yandex.Cloud experts.

24.12.2020 — CVE-2020-25695 - privilege escalation in PostgreSQL

Description

A privilege escalation vulnerability was found in PostgreSQL. The vulnerability allowed unprivileged users to perform SQL queries with identity of superuser under certain conditions.

Impact on Yandex.Cloud services

All PostgreSQL database management systems used in the Yandex Managed Service for PostgreSQL have been updated. All new clusters are created with a patched version of PostgreSQL.

19.11.2020: Deprecation of outdated TLS protocols

Description

To improve security of data transmission, Yandex.Cloud recommends all users to migrate towards solutions that support TLS 1.2 protocol and higher.

Impact on Yandex.Cloud services

All Yandex.Cloud services support TLS 1.2 and higher. Support for outdated protocols will be phased out soon. We strongly recommend to switch all customer applications to higher TLS versions in advance.

20.09.2020: CVE-2020-1472 (aka Zerologon)

Description

A flaw in Windows Netlogon Remote Protocol allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.

Original report from Secura: Zerologon.

Microsoft advisory: CVE-2020-1472.

Microsoft guide on change management : How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.

Impact on Yandex.Cloud services

The OS images available to Yandex Compute Cloud are already contain all the necessary patches. However, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.

Mitigation Techniques

In addition to the patches you can implement and enforce network access control so that your DC is not accessible from untrusted networks. This can be achieved by:

  • setting up Windows Firewall or Security Groups;
  • putting your DC under a NAT-gateway.

15.06.2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)

Description

On certain Intel CPU models, VUSec detected a new attack called Special Register Buffer Data Sampling Attack (or CrossTalk). During this attack, a malicious process can get the results returned by the RDRAND and RDSEED instructions from another process, even when the malicious and legitimate processes run on different physical CPU cores. The attack is assigned the ID CVE-2020-0543.

Intel's report: Deep Dive: Special Register Buffer Data Sampling.

Impact on Yandex.Cloud services

Yandex.Cloud uses CPU models that are not vulnerable to CrossTalk attacks.

28.08.2019: TCP SACK

Description

Netflix experts found three vulnerabilities in the Linux kernel:

  • CVE-2019-11477
  • CVE-2019-11478
  • CVE-2019-11479

Original report from Netflix: NFLX-2019-001.

Vulnerability analysis from Red Hat: TCP SACK PANIC.

Impact on Yandex.Cloud services

  • The Yandex.Cloud infrastructure was promptly protected and updated.
  • The OS images available to Yandex Compute Cloud users were updated as soon as the appropriate fixes became available. Therefore, the new VMs created in Yandex Compute Cloud are not vulnerable to those vulnerabilities.

19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List

Description

List of domains included in Public Suffix List:

  • yandexcloud.net
  • storage.yandexcloud.net
  • website.yandexcloud.net

Domains in the Public Suffix List get the properties of top-level domains, such as .ru or .com:

  • Browsers won't save the cookies set for the listed domains.
  • Browsers won't let anyone change the page's Origin request headers to root domains.

For more information, see our blog.

Impact on Yandex.Cloud services

These changes will improve the security of Yandex.Cloud users.

In this article:
  • 24.12.2020 — CVE-2020-25695 - privilege escalation in PostgreSQL
  • Description
  • Impact on Yandex.Cloud services
  • 19.11.2020: Deprecation of outdated TLS protocols
  • Description
  • Impact on Yandex.Cloud services
  • 20.09.2020: CVE-2020-1472 (aka Zerologon)
  • Description
  • Impact on Yandex.Cloud services
  • Mitigation Techniques
  • 15.06.2020: Special Register Buffer Data Sampling Attack (aka CrossTalk)
  • Description
  • Impact on Yandex.Cloud services
  • 28.08.2019: TCP SACK
  • Description
  • Impact on Yandex.Cloud services
  • 19.08.2019: Some Yandex Object Storage domains are included in the Public Suffix List
  • Description
  • Impact on Yandex.Cloud services
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC