We owe our customers an apology as a number of issues were recently found by the Trend Micro Zero Day Initiative.

Two of them were for the potential of unauthenticated users to trigger remote code execution for a very high score unfortunately.

(Note: Like with other recent industry exploits, if your control plane access is limited as we advise, then the risks are significantly lower.)

If you follow the CVEs that are released every day, we are not alone, but that is still not an excuse.

While our engineering management and company management are intimately involved in all code changes and releases, as our solution footprint has grown and our responsibilities to our customers have grown, we did not expand some of our processes comensurately.

We have worked with customers since the disclosure getting them patches and new cloud images.

We have added additional code review tools and processes to our releases.

Thank you to Trend Micro ZDI and Mehmet INCE @prodaft for the discovery and working us through the disclosure process. We are grateful for the help from the community to make our products and customers more secure.

Any users of the VNS3 Network Platform who need can always reach us via support@cohesive.net and we will assist with patching and upgrades.
https://cohesive.net/support/security-responses/

– Pat Kerpan
CEO, Cohesive