Response to CVE-2023-28479
Original date: December 2023
In August 2023, CVE-2023-28479 was filed as a vulnerability with a base severity score of 8.8 affecting TigerGraph’s Enterprise 3.7.0.
TigerGraph disputes this vulnerability, as it is based on an assumption that the attacker gains access to the file system of a TigerGraph deployment to execute and modify files in that system, where the attacker needs to log into the Docker image using the default username and password.
The TigerGraph platform incorporates a comprehensive development toolchain, including a compiler, linker, debugger, disassembler, and assembler, within each deployment. The reported demonstration reveals two critical findings: firstly, an attacker can compile new executables on TigerGraph systems, and secondly, they can alter the system’s behavior using the provided toolchain. Affecting TigerGraph Enterprise Free Edition 3.7.0 Docker Image and TigerGraph Enterprise Free Edition 3.7.0; however, the vulnerability may extend to other TigerGraph products.
TigerGraph disputes this vulnerability because the exploitation procedure’s initial step requires logging into the Docker image. It assumes that the attacker gains access to the TigerGraph Docker image and the validity of this assumption is undermined by TigerGraph’s documentation, explicitly instructing users to change the Linux user’s password in Step 5, rendering unauthorized login attempts unsuccessful.
Additionally, TigerGraph’s Docker image is intended solely for local Research and Development (R&D) purposes.
In future versions of TigerGraph, for production deployment, we will recommend users to utilize the k8s operator and k8s docker image. Notably, the TigerGraph k8s operator deploys a different Docker image devoid of a default password. Users are also advised to furnish their own key pair for enhanced security.
Further details are provided in our TigerGraph k8s operator preview documentation on GitHub.
In TigerGraph documentation, we specifically ask the user to change the Linux user’s password in Step 5. The login attempt, in the proposed exploitation, would not succeed if the user has done so.
TigerGraph Docker Image is for local R&D only.
For other installations, such as our documentation on Installation on Bare Metal, we advise users to change the default username and password.
The TigerGraph k8s operator uses a different Docker image that has NO default password.
The user needs to bring their own key pair to use it, see more details here.
We appreciate the diligence of the security community in raising concerns, and we take the security of our products seriously. TigerGraph is committed to maintaining a robust and secure environment for our users.