Cloudflare’s Handling of an RCE Vulnerability in cdnjs
cdnjs provides JavaScript, CSS, images, and fonts assets for websites to reference with more than 4,000 libraries available. By utilizing cdnjs, websites can load faster with less strain on one’s own origin server as files are served directly from Cloudflare’s edge. Recently, a blog post detailed a vulnerability in the way cdnjs’ backend automatically keeps the libraries up to date.
This vulnerability allowed the researcher to execute arbitrary code, granting the ability to modify assets. This blog post details how Cloudflare responded to this report, including the steps we took to block exploitation, investigate potential abuse, and remediate the vulnerability.
This vulnerability is not related to Cloudflare CDN. The cdnjs project is a platform that leverages Cloudflare’s services, but the vulnerability described below relates to cdnjs’ platform only. To be clear, no existing libraries were modified using this exploit. The researcher published a new package which demonstrated the vulnerability and our investigation concluded that the integrity of all assets hosted on cdnjs remained intact.
Disclosure Timeline
As outlined in RyotaK’s blog post, the incident began on 2021-04-06. At around 1100 GMT, RyotaK published a package to npm exploiting the vulnerability. At 1129 GMT, cdnjs processed this package, resulting in Continue reading
High-availability connectivity for Kubernetes with dual ToR
Many platform operators in large enterprises who run Kubernetes on-premises want to leverage Border Gateway Protocol (BGP) to peer with other infrastructure. Calico Enterprise uses BGP to establish connectivity between workloads without an overlay, peer with infrastructure inside and outside of the cluster, and integrate with top-of-rack (ToR) switches to provide that connectivity.
Calico ToR connectivity has existed for some time now. However, for customers with high-availability requirements, a new high availability Kubernetes capability in Calico Enterprise now supports connectivity with dual ToR switches. From an operational standpoint, a cluster that is peered to two ToR switches will still have an active link, even if one switch becomes unavailable, thus ensuring the cluster always has a network connection. Because of the two ToR switches per rack, the whole setup is often referred to as “dual ToR.”
Dual ToR peering provides a redundant path for customers with cluster applications that cannot tolerate service downtime or failure, and require a high-availability solution. Kubernetes cannot do this on its own.
More specifically, Calico:
- Enables cluster operators to connect with, and take advantage of, dual ToR switches
- Provides two active, independent planes of connectivity between cluster nodes when a dual plane cluster is Continue reading
Microservices workflow orchestration
A recurring pattern in software architecture is the need to trigger a process or workflow that is implemented across multiple microservices and then report to the user the results when the process completes.
In a previous project, I faced this issue when building a SaaS application in the Intelligent Document Processing (IDP) space. The application was supposed to take a collection of scanned pages, split it in documents, and for each document perform several document understanding tasks. There is a mix of per-page-bundle, per-page and per-document processing steps.
Given the desire to develop each step independently and be able to scale the processing independently (e.g. page OCR consumes more resources than other tasks) I designed a system around a message bus (RabbitMQ) and individual workers that pull requests from message queues.
Unfortunately there aren’t a whole lot of easy to use solutions available for this type of design. Googling for “rabbitmq workflow orchestration” the most helpful link I get is for an article that recommends the use of BPMN for this type of design. That is rather centered in the Java ecosystem. For my use case I needed something that worked well in python and would be preferably language Continue reading
Microservices workflow orchestration
A recurring pattern in software architecture is the need to trigger a process or workflow that is implemented across multiple microservices and then report to the user the results when the process completes.
In a previous project, I faced this issue when building a SaaS application in the Intelligent Document Processing (IDP) space. The application was supposed to take a collection of scanned pages, split it in documents, and for each document perform several document understanding tasks. There is a mix of per-page-bundle, per-page and per-document processing steps.
Given the desire to develop each step independently and be able to scale the processing independently (e.g. page OCR consumes more resources than other tasks) I designed a system around a message bus (RabbitMQ) and individual workers that pull requests from message queues.
Unfortunately there aren’t a whole lot of easy to use solutions available for this type of design. Googling for “rabbitmq workflow orchestration” the most helpful link I get is for an article that recommends the use of BPMN for this type of design. That is rather centered in the Java ecosystem. For my use case I needed something that worked well in python and would be preferably language Continue reading
Ways to Build a Talented and Reliable Work-at-Home IT Workforce
COVID-19 forced many organizations to create virtual IT teams. Things worked out so well that a growing number of IT leaders are now looking to build a permanent home-based workforce.New Virtual Event Platforms Other than Zoom
Whether you’ve got an online class, a business meeting, or just a virtual hangout with some friends, it seems that we are using more and more virtual event platforms by the hour. This begs the question, what other new virtual event platforms are there other than zoom that could possibly cater to your user needs in a better way? Let’s get into it, shall we?
BigMaker
Another prominent and useful virtual event platform, BigMaker is a browser-based virtual event platform that has an easy user interface with successful integrations and great features. It is used by brands, such as Panasonic, Google, and more. BigMaker provides its users with the standard features, such as session recording, surveys, polls, and screen sharing. Apart from that, you can also stream your event on YouTube or even Facebook, add company colors and logos to the virtual event, and it even comes with an in-built function for marketing that allows you to reach out to new leads regarding your upcoming virtual event. It has several other notable features that are:
- Audience Handouts
- Landing Pages
- Microsites
Price: BigMaker can cost you around $79 – $299+ on a monthly basis according to your needs.
Hopin
Another great Continue reading
Heavy Networking 590: What It Takes To Build An ISP In 2021
There's a huge amount that goes into building an ISP, from getting access to poles to run fiber, operating a cable plant, setting up customer support and billing, getting network gear in place---not to mention developing a viable business model and funding the whole thing. On today's Heavy Networking podcast we talk with Jim Troutman of Tilson Technology Management about building a local ISP in New England.
The post Heavy Networking 590: What It Takes To Build An ISP In 2021 appeared first on Packet Pushers.
Heavy Networking 590: What It Takes To Build An ISP In 2021
There's a huge amount that goes into building an ISP, from getting access to poles to run fiber, operating a cable plant, setting up customer support and billing, getting network gear in place---not to mention developing a viable business model and funding the whole thing. On today's Heavy Networking podcast we talk with Jim Troutman of Tilson Technology Management about building a local ISP in New England.AWS’s Egregious Egress
When web hosting services first emerged in the mid-1990s, you paid for everything on a separate meter: bandwidth, storage, CPU, and memory. Over time, customers grew to hate the nickel-and-dime nature of these fees. The market evolved to a fixed-fee model. Then came Amazon Web Services.
AWS was a huge step forward in terms of flexibility and scalability, but a massive step backward in terms of pricing. Nowhere is that more apparent than with their data transfer (bandwidth) pricing. If you look at the (ironically named) AWS Simple Monthly Calculator you can calculate the price they charge for bandwidth for their typical customer. The price varies by region, which shouldn't surprise you because the cost of transit is dramatically different in different parts of the world.
Charging for Stocks, Paying for Flows
AWS charges customers based on the amount of data delivered — 1 terabyte (TB) per month, for example. To visualize that, imagine data is water. AWS fills a bucket full of water and then charges you based on how much water is in the bucket. This is known as charging based on “stocks.”
On the other hand, AWS pays for bandwidth based on the capacity of their Continue reading
Empowering customers with the Bandwidth Alliance
High Egress Fees
Debates over the benefits and drawbacks of walled gardens versus open ecosystems have carried on since the beginnings of the tech industry. As applied to the Internet, we don’t think there’s much to debate. There’s a reason why it’s easier today than ever before to start a company online: open standards. They’ve encouraged a flourishing of technical innovation, made the Internet faster and safer, and easier and less expensive for anyone to have an Internet presence.
Of course, not everyone likes competition. Breaking open standards — with proprietary ones — is a common way to stop competition. In the cloud industry, a more subtle way to gain power over customers and lock them in has emerged. Something that isn’t obvious at the start: high egress fees.
You probably won’t notice them when you embark on your cloud journey. And if you need to bring data into your environment, there’s no data charge. But say you want to get that data out? Or go multi-cloud, and work with another cloud provider who is best-in-class? That’s when the charges start rolling in.
To make matters worse, as the number and diversity of applications in your IT stack increases, the Continue reading
Service Provider Use Case: Distributed Cloud for Edge Compute
In earlier blogs in this series, we covered data center architecture trends, network virtualization and overlays, traditional network automation and...
The post Service Provider Use Case: Distributed Cloud for Edge Compute appeared first on Pluribus Networks.
For Overstretched IT, Zero Trust Safeguards Remote Workers
Remote work environments pose new security threats, and zero trust protections are helping overburdened IT teams cope.Quantum Computing and OpenFlow
I read an excellent rant by prof. Victor Galitski describing the current explosion of Quantum Computing hype, and couldn’t help being reminded of the OpenFlow brouhaha we experienced almost a decade ago – you could do a simple search-and-replace and the article would have been equally valid.
Enjoy… and remember the details for the next time your beloved vendor comes along with Quantum Computing slide deck.
Introducing Workers Usage Notifications
So you’ve built an application on the Workers platform. The first thing you might be wondering after pushing your code out into the world is “what does my production traffic look like?” How many requests is my Worker handling? How long are those requests taking? And as your production traffic evolves overtime it can be a lot to keep up with. The last thing you want is to be surprised by the traffic your serverless application is handling. But, you have a million things to do in your day job, and having to log in to the Workers dashboard every day to check usage statistics is one extra thing you shouldn’t need to worry about.
Today we’re excited to launch Workers usage notifications that proactively send relevant usage information directly to your inbox. Usage notifications come in two flavors. The first is a weekly summary of your Workers usage with a breakdown of your most popular Workers. The second flavor is an on-demand usage notification, triggered when a worker’s CPU usage is 25% above its average CPU usage over the previous seven days. This on-demand notification helps you proactively catch large changes in Workers usage as soon as those Continue reading
Pegasus Pisses Me Off
In this week’s episode of the Gestalt IT Rundown, I jumped on my soapbox a bit regarding the latest Pegasus exploit. If you’re not familiar with Pegasus you should catch up with the latest news.
Pegasus is a toolkit designed by NSO Group from Israel. It’s designed for counterterrorism investigations. It’s essentially a piece of malware that can be dropped on a mobile phone through a series of unpatched exploits that allows you to create records of text messages, photos, and phone calls and send them to a location for analysis. On the surface it sounds like a tool that could be used to covertly gather intelligence on someone of interest and ensure that they’re known to law enforcement agencies so they can be stopped in the event of some kind of criminal activity.
Letting the Horses Out
If that’s where Pegasus stopped, I’d probably not care one way or the other. A tool used by law enforcement to figure out how to stop things that are tough to defend against. But because you’re reading this post you know that’s not where it stopped. Pegasus wasn’t merely a tool developed by intelligence agencies for targeted use. If I had to Continue reading