Security Bulletin

Bulletin ID: PLTRSEC-2024-43

CVE: CVE-2024-49587

Affected Products / Versions: N/A

Publication Date: January 28, 2025

Summary

Glutton V1 service endpoints were exposed without any authentication on gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances

Background

Glutton is an essential part of a typical pipeline to integrate external data sources into Palantir Gotham (PG). The primary Glutton use case is to dynamically update data from an external data source as the data source changes over time.

Details

A software bug in Palantir’s Glutton Service (V1) occurred, and resulted in multiple endpoints being exposed without any authentication or authorization. This bug was due to a complex edge case during an infrastructure migration that made some code checks pass even though the client did not have a valid certificate to authenticate against the service.

Palantir's information security team conducted a thorough review of audit logs associated with each and every impacted endpoints of the vulnerable service and no evidence of abuse or exploitation has been found, additionally on production environments the infrastructure WAF(Web Application Firewall) would block any client request that did not contain a valid Authorization Header.

Remediation

This defect was resolved and rolled out to all affected Gotham instances. No further intervention is required.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Security Bulletin

Bulletin ID: PLTRSEC-2024-48

CVE: CVE-2024-49589

Affected Products / Versions: artifacts, versions less than 0.1337.0

Publication Date: January 28, 2025

Summary

Foundry artifacts service was found to be vulnerable to a Denial Of Service attack due to disk being filled based on user supplied argument (size). This required the attacker to be logged-in the stack since the endpoints were enforcing authentication checks but not Authorization.

Background

Foundry Artifacts is built around the concept of repositories, of which there are two main types: local and remote.

Details

During an internal code review, it was discovered that multiple endpoints on foundry artifacts were vulnerable to a denial of a service that required minimal user interaction. The foundry artifacts backend was accepting an arbitrary value from user input and writing random data into the disk using the user provided size this led to a denial of service attack by filling up the disk.

Remediation

This defect was resolved with the release of Foundry Artifacts 0.1337.0.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Security Bulletin

Bulletin ID: PLTRSEC-2024-47

CVE: CVE-2024-49581

Affected Products / Versions: N/A

Publication Date: November 14, 2024

Summary

Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.

Background

Object explorer background : Object Explorer is a search and analysis tool for answering questions about anything in the Ontology.

Restricted views background : Markings and roles provide powerful access controls, but some situations require more granular permissioning. For example, it may be insufficient or inappropriate to grant access to all objects of a certain type; some object types may need to surface different objects to different users, as when a company limits its sales representatives to viewing customers at their assigned branch. Restricted Views can provide this additional level of access control.

Details

A software bug in Palantir’s External Artifacts service (versions 105.110.1 through 105.115.0) occurred, and resulted in Palantir’s Phonograph service under certain circumstances not correctly verifying permissions when API queries were issued. The regression introduced by this software bug manifested in a way where authenticated users within a Palantir organization could potentially bypass granular policies on legacy Objects backed by Restricted Views.

It is important to note that this software bug DID NOT impact or otherwise make data available across organizational boundaries nor did it allow for data to be viewed or accessed by unauthenticated users.

Palantir's information security team conducted a thorough review of audit logs associated with each Palantir environment to gauge potential impact caused by this software bug. An impact assessment was delivered to each potentially impacted customer.

Remediation

After confirming the issue and identifying the scope of impact, all Apollo-joined Palantir deployments were automatically rolled back to the last known safe version of the External Artifacts. Palantir deployments that are not Apollo-managed were manually reverted by Palantir's Forward Deployed Engineers.

A fixed version of External Artifacts was released (v105.116.0) shortly after, and has been rolled out to all Foundry instances. No further intervention is required.

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Security Bulletin

Bulletin ID: PLTRSEC-2024-46

CVE: CVE-2024-49588

Affected Products / Versions: sls-oracle-sidecar, versions less than 0.544.0; sls-oracle-sidecar, versions greater than or equal to 0.347.0

Publication Date: November 4, 2024

Summary

Multiple endpoints in oracle-sidecar in versions 0.347.0 to 0.543.0 were found to be vulnerable to SQL injections. A malicious, authenticated service user with network access to the container could have abused some of the endpoints the service provides to execute arbitrary SQL commands on the backend database, potentially compromising confidentiality, integrity and availability of the Oracle database.

Background

The oracle-sidecar service provides database performance metrics for Oracle databases. Its endpoints are only available internally and require a special service-level secret to authenticate.

Details

In October 2024, a routine security review discovered that oracle-sidecar did not sanitize parameters supplied via API requests adequately before inserting them in SQL queries against the backend. Multiple endpoints were following this methodology. This allowed a user with knowledge of a service secret and access to the container's ports to inject into SQL queries. SQL injections can potentially lead to unauthorized data manipulation, data exfiltration, and command execution.

Remediation

All service endpoints were patched to construct SQL queries using prepared statements and eliminate the possibilities for SQL injections. The vulnerabilities are remediated from version 0.544.0 onwards

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.

Security Bulletin

Bulletin ID: PLTRSEC-2024-42

CVE: N/A

Affected Products / Versions: N/A

Publication Date: October 31, 2024

Summary

Dispatch service contained an issue where under very specific circumstances could result in disclosing the title of a resolved object that the user is not allowed to see.

Background

Palantir Gotham consists of a backend monolith known as the Dispatch server, and additional backend support services. Dispatch contains the core logic for Gotham, and includes various APIs. Users of the Browser Application within Palantir Gotham’s Frontend can view data stored in Gotham, including historical versions of the data, via Dispatch’s APIs.

Details

After resolving multiple objects in Gotham, history events are generated which include the titles of resolved objects. Under specific circumstances, titles could become visible to users that would not have previously had permission to see the titles.

Remediation

All versions of dispatch that use dynamic object title generation, from 100.30191104.0 until 105.85.0 except these patched versions:

• 104.30240308.264
• 105.19.138
• 105.35.71
• 105.59.30
• 105.80.4
• 105.84.2
• 105.85.0 and beyond

Timeline

N/A

Acknowledgement

This issue was identified internally at Palantir.