Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open ssl CVE present in node cache 1.22.20 #590

Closed
i5haan opened this issue Jun 21, 2023 · 11 comments · Fixed by #591
Closed

Open ssl CVE present in node cache 1.22.20 #590

i5haan opened this issue Jun 21, 2023 · 11 comments · Fixed by #591

Comments

@i5haan
Copy link
Contributor

i5haan commented Jun 21, 2023

I ran some scans on registry.k8s.io/dns/k8s-dns-node-cache:1.22.2 and found out there are some open CVEs present in this image. The following is the summary


✗ High severity vulnerability found in openssl/libssl1.1
  Description: Improper Certificate Validation
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-3368735
  Introduced through: openssl/libssl1.1@1.1.1n-0+deb11u4, openssl@1.1.1n-0+deb11u4, kmod@28-1
  From: openssl/libssl1.1@1.1.1n-0+deb11u4
  From: openssl@1.1.1n-0+deb11u4 > openssl/libssl1.1@1.1.1n-0+deb11u4
  From: kmod@28-1 > openssl/libssl1.1@1.1.1n-0+deb11u4
  and 2 more...
  Fixed in: 1.1.1n-0+deb11u5

✗ High severity vulnerability found in openssl/libssl1.1
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-5661566
  Introduced through: openssl/libssl1.1@1.1.1n-0+deb11u4, openssl@1.1.1n-0+deb11u4, kmod@28-1
  From: openssl/libssl1.1@1.1.1n-0+deb11u4
  From: openssl@1.1.1n-0+deb11u4 > openssl/libssl1.1@1.1.1n-0+deb11u4
  From: kmod@28-1 > openssl/libssl1.1@1.1.1n-0+deb11u4
  and 2 more...
  Fixed in: 1.1.1n-0+deb11u5

We need it remediated asap to keep infosec happy
@i5haan i5haan changed the title Open ssl CVE present in node dns 1.22.20 Open ssl CVE present in node cache 1.22.20 Jun 21, 2023
@dpasiukevich
Copy link
Member

Thanks,

There are already newer images. Could you check 1.22.21?
There's also 1.22.22 tag, but it's not promoted so the image is not yet in the registry.

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023
edited
Loading

1.22.21 also has the same CVE's mentioned. Like you mentioned 1.22.22 is not accessible.

I doubt that 1.22.22 doesn't have the CVE because the base images that are used to build(gcr.io/gke-release/distroless-iptables:v0.2.4-gke.2@sha256:de81db8d3d8d61fcc13bae7b8d4b1ca1248f8e88356e500e7cd9f3f9a1d35cf4 and gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) have the CVEs in them.
https://github.com/kubernetes/dns/blob/1.22.22/rules.mk#LL34C14-L34C119

If you could provide me the newer base images that I can use, I would be happy to contribute. I am unable to list latest tags.

@dpasiukevich
Copy link
Member

Hmm, does the static-debian has the vulnerability? AFAIK it should have no ssl libs.
Could you check the latest image?
gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e

Maybe base-debian is affected? As it should have the ssl libs.

As for the distroless-iptables let me ask, maybe there's soon a fixed version be released.

And thanks for the report!

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

My bad, yes, gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e is green(0 known CVE), only the ditsroless-iptables requires update.

What open sourced repo is distroless-iptables part of?

@dpasiukevich
Copy link
Member

I've checked with the maintainers of the image. gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 has the fix already.

@i5haan could you help to check if the base-debian is affected?

And then to make a PR for both images (or only one if needed)? I'd approve and release a new tag.

Thanks!

@dpasiukevich
Copy link
Member

Latest base-debian is: gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

Thanks for sharing providing these images.
For the distroless-iptables, gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 does not have any critical/high/medium CVEs, but does has low CVEs.

For the base image, gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d has some low CVEs, but the one already checked in the code(gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) has 0 CVEs(no low as well).

I will only update the distroless-iptables.

@dpasiukevich
Copy link
Member

I'm just thinking, if we're updating distroless-iptables, then updating the base-debian to the latest won't hurt as well.

Could you please include the

Uploaded Jun 17, 2023, 2:19:59 PM
gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

at

dns/images/dnsmasq/Makefile

Line 32 in fed6049

BASEIMAGE ?= gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

In the PR as well?

@dpasiukevich
Copy link
Member

dpasiukevich commented Jun 21, 2023
edited
Loading

Oh, wait, the hash is the same for the base-debian. Yep, only distroless-iptables are for the update.

i5haan added a commit to i5haan/dns that referenced this issue Jun 21, 2023
@i5haan
Update distroless-iptables image kubernetes#590
83aa07d
@i5haan i5haan mentioned this issue Jun 21, 2023
Merged
@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

Thanks for the approval! After the commit, when does it get released?

k8s-ci-robot added a commit that referenced this issue Jun 21, 2023
@k8s-ci-robot
Merge pull request #591 from i5haan/590-update-distroless
e7026e0 
Update distroless-iptables image #590
@dpasiukevich
Copy link
Member

I've pushed the tag, we will promote the images to the k8s registry today-tomorrow.

@ty-dc ty-dc mentioned this issue Jul 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update distroless-iptables image #590 i5haan/dns
2 participants
@dpasiukevich @i5haan