On September 4th, it was uncovered that an unknown threat actor had attacked publicly available MinIO object storage clusters. The attackers exploited two known security vulnerabilities in the MinIO server: CVE-2023-28432 and CVE-2023-28434 Both vulnerabilities had been reported and fixed on March 19th and 20th, and a new release, RELEASE.2023-03-20T20-16-18Z, was published on the same day. Both CVEs were
Read more...
Encrypting network traffic is low-hanging fruit when securing IT infrastructure. MinIO follows a pragmatic approach when it comes to TLS. It has to be secure, it has to be performant and it has to be simple. Things that matter In almost all cases, there are just a couple of things we need to take into consideration: * The TLS version. * The
Read more...
Security is paramount at MinIO and sits up there with performance, simplicity and resilience in the pantheon of things that matter. MinIO encrypts data when stored on disk and when transmitted over the network. MinIO’s state-of-the-art encryption schemes support granular object-level encryption using modern, industry-standard encryption algorithms, such as AES-256-GCM, ChaCha20-Poly1305, and AES-CBC. MinIO is fully compatible with S3
Read more...Synopsis: A signature verification bypass vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-03-17T02-33-02Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-03-17T02-33-02Z]. Severity: Medium Who is affected: All users of the MinIO server version before RELEASE.2021-03-17T02-33-02Z affected. Users access MinIO over TLS are not affected. Recommended Action for Users: All users are advised
Read more...Synopsis: A server-side request forgery (SSRF) vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-01-30T00-20-58Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z]. Severity: Medium Who is affected: All users of the MinIO server version RELEASE.2019-12-17T23-16-33Z or newer are affected. Users that have disabled the MinIO browser UI are not affected. Recommended Action
Read more...
Two days ago, on Sep. 08, research teams from Germany and Israel published a joint research paper [https://raccoon-attack.com/RacoonAttack.pdf] describing another TLS timing attack - called Raccoon. This attack targets all TLS versions up to 1.2. The new attack [https://raccoon-attack.com/] exploits a timing side-channel during the TLS handshake when the Diffie-Hellman (DH) key exchange
Read more...
KES is a stateless and distributed key-management system for high-performance applications. We built KES as the bridge between modern applications - running as containers on Kubernetes - and centralized KMS solutions. Therefore, KES has been designed to be simple, scalable and secure by default.
Read more...
Understanding compression and the risks it presents in the compression-ratio side channel.
Read more...Fixed possibility of authentication bypass against MinIO server Admin API
Read more...
Erasure Code Calculator
Reference Hardware