Palantir is a software company that builds the world's leading software for data-driven operations and decision-making. For more than a decade, we’ve worked with customers in the most secure and highly-regulated industries and built software for their most sensitive data. Today, security remains the cornerstone of our product development, company culture, and internal operations.
Palantir cares deeply about the security outcomes of our customers, and we’re committed to transparency about our security practices and program. We stand resolute in continuously improving our security, data protection, and privacy controls to give you the most effective means of protecting your data possible.
Security Bulletin
Bulletin ID: PLTRSEC-2024-47
CVE: CVE-2024-49581
Affected Products / Versions: N/A
Publication Date: November 14, 2024
Summary
Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.
Background
Object explorer background : Object Explorer is a search and analysis tool for answering questions about anything in the Ontology.
Restricted views background : Markings and roles provide powerful access controls, but some situations require more granular permissioning. For example, it may be insufficient or inappropriate to grant access to all objects of a certain type; some object types may need to surface different objects to different users, as when a company limits its sales representatives to viewing customers at their assigned branch. Restricted Views can provide this additional level of access control.
Details
A software bug in Palantir’s External Artifacts service (versions 105.110.1 through 105.115.0) occurred, and resulted in Palantir’s Phonograph service under certain circumstances not correctly verifying permissions when API queries were issued. The regression introduced by this software bug manifested in a way where authenticated users within a Palantir organization could potentially bypass granular policies on legacy Objects backed by Restricted Views.
It is important to note that this software bug DID NOT impact or otherwise make data available across organizational boundaries nor did it allow for data to be viewed or accessed by unauthenticated users.
Palantir's information security team conducted a thorough review of audit logs associated with each Palantir environment to gauge potential impact caused by this software bug. An impact assessment was delivered to each potentially impacted customer.
Remediation
After confirming the issue and identifying the scope of impact, all Apollo-joined Palantir deployments were automatically rolled back to the last known safe version of the External Artifacts. Palantir deployments that are not Apollo-managed were manually reverted by Palantir's Forward Deployed Engineers.
A fixed version of External Artifacts was released (v105.116.0) shortly after, and has been rolled out to all Foundry instances. No further intervention is required.
Timeline
N/A
Acknowledgement
This issue was identified internally at Palantir.
Security Bulletin
Bulletin ID: PLTRSEC-2024-46
CVE: CVE-2024-49588
Affected Products / Versions: sls-oracle-sidecar, versions less than 0.544.0; sls-oracle-sidecar, versions greater than or equal to 0.347.0
Publication Date: November 4, 2024
Summary
Multiple endpoints in oracle-sidecar
in versions 0.347.0 to 0.543.0 were found to be vulnerable to SQL injections. A malicious, authenticated service user with network access to the container could have abused some of the endpoints the service provides to execute arbitrary SQL commands on the backend database, potentially compromising confidentiality, integrity and availability of the Oracle database.
Background
The oracle-sidecar
service provides database performance metrics for Oracle databases. Its endpoints are only available internally and require a special service-level secret to authenticate.
Details
In October 2024, a routine security review discovered that oracle-sidecar
did not sanitize parameters supplied via API requests adequately before inserting them in SQL queries against the backend. Multiple endpoints were following this methodology. This allowed a user with knowledge of a service secret and access to the container's ports to inject into SQL queries. SQL injections can potentially lead to unauthorized data manipulation, data exfiltration, and command execution.
Remediation
All service endpoints were patched to construct SQL queries using prepared statements and eliminate the possibilities for SQL injections. The vulnerabilities are remediated from version 0.544.0 onwards
Timeline
N/A
Acknowledgement
This issue was identified internally at Palantir.
Security Bulletin
Bulletin ID: PLTRSEC-2024-42
CVE: N/A
Affected Products / Versions: N/A
Publication Date: October 31, 2024
Summary
Dispatch service contained an issue where under very specific circumstances could result in disclosing the title of a resolved object that the user is not allowed to see.
Background
Palantir Gotham consists of a backend monolith known as the Dispatch server, and additional backend support services. Dispatch contains the core logic for Gotham, and includes various APIs. Users of the Browser Application within Palantir Gotham’s Frontend can view data stored in Gotham, including historical versions of the data, via Dispatch’s APIs.
Details
After resolving multiple objects in Gotham, history events are generated which include the titles of resolved objects. Under specific circumstances, titles could become visible to users that would not have previously had permission to see the titles.
Remediation
All versions of dispatch that use dynamic object title generation, from 100.30191104.0 until 105.85.0 except these patched versions:
- 104.30240308.264
- 105.19.138
- 105.35.71
- 105.59.30
- 105.80.4
- 105.84.2
- 105.85.0 and beyond
Timeline
N/A
Acknowledgement
This issue was identified internally at Palantir.
Security Bulletin
Bulletin ID: PLTRSEC-2024-41
CVE: CVE-2023-30972
Affected Products / Versions: code-assist-proxy, versions 2.1018.0 to 2.1025.0 (inclusive); code-assist-proxy, versions 2.972.0 to 2.1017.0 (inclusive)
Publication Date: October 30, 2024
Summary
A new feature was added to code-assist-proxy in the Code Repositories application which enabled anyone who could see code in the repository (anyone with Viewer permissions and above) to perform runtime debugging in v2.972.0. As a result of the feature update, anyone with Viewer permissions on a repository could see the credential objects that had been set up and were being used as a part of the authored code as they would be present at runtime and seen in the debugger.
Background
code-assist-proxy is a constituent part of Code Repositories providing syntax debugging and more recently as of v2.972.0 runtime debugging support. Runtime Debugging enables a user of Code Repositories to step-through code during execution and inspect variables that are set as part of the execution.
Details
Code Repositories may contain Credential Objects that hold secrets such as username/password combinations for APIs that it is desirable to interact with from authored code. These integrations would be set up by an Editor/Owner of the repository and should be presumed to be known by anyone who had the ability to commit code changes to that repository, as any executed code would have access to that repositories credentials.
In v2.972.0, runtime debugging was made available within the Code Repositories app, but the permissions to execute debugging were made available to anyone with Viewer or greater permissions on the repository (i.e. anyone who could open the repository and inspect the code). When debugging, credentials would necessarily be injected into the runtime environment, meaning they could be seen.
Remediation
Palantir modified the permissions necessary to perform runtime debugging to the Editor and Owner roles of the Code Repository, which are the only default roles able to make code commits to repositories. This change was backported to v2.1017.1 and made available in v2.1026.0 onwards. All managed stacks were upgraded to safe versions. All instances of a Viewer running debugging on a repository with credential objects were identified.
Timeline
N/A
Acknowledgement
This issue was reported externally to Palantir.
Palantir is not affected
Palantir is not affected by any ongoing availability or stability incidents related to Microsoft Windows and Crowdstrike Endpoint Detection and Response Tooling.
If you think you may have discovered a vulnerability, please send us a note.