Closed FeldrinH closed 1 week ago
Dear @FeldrinH,
Thank you for your inquiry regarding the security vulnerability fixed in VPL 4.2.4. While I understand your concern and desire for more detailed information, it is not advisable to share specific details publicly for security reasons.
However, I can assure you that if you update your VPL-Jail-System, there is no immediate need to update your Moodle plugin.
We apologize for any inconvenience this may have caused.
Best regards, Juan Carlos
My concern is what if someone has exploited the vulnerability before I updated. Could they have gained access to the host system? Escaped VPL jail? What is the potential damage if someone exploited this before the fix was applied?
Dear FeldrinH,
I share your concern regarding this issue. This is why we recommend installing the VPL-Jail-System on a freshly installed operating system. For enhanced security, you may also consider switching to the Docker version, which operates with no privileges.
Best regards, Juan Carlos
Dear @FeldrinH, since your initial question the CVEs have been published and you can find more details on the vulnerabilities at CVE-2024-34312 and CVE-2024-34313
I would like to know more about the impact of the security vulnerability fixed in VPL 4.2.4. The release notes are fairly vague and looking up CVE-2024-34312 I find that this CVE number is reserved but unused. Where could I find more info about this security vulnerability?