Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open ssl CVE present in node cache 1.22.20 #590

Closed
i5haan opened this issue Jun 21, 2023 · 11 comments · Fixed by #591
Closed

Open ssl CVE present in node cache 1.22.20 #590

i5haan opened this issue Jun 21, 2023 · 11 comments · Fixed by #591

Comments

@i5haan
Copy link
Contributor

i5haan commented Jun 21, 2023

I ran some scans on registry.k8s.io/dns/k8s-dns-node-cache:1.22.2 and found out there are some open CVEs present in this image. The following is the summary


✗ High severity vulnerability found in openssl/libssl1.1
  Description: Improper Certificate Validation
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-3368735
  Introduced through: openssl/libssl1.1@1.1.1n-0+deb11u4, openssl@1.1.1n-0+deb11u4, kmod@28-1
  From: openssl/libssl1.1@1.1.1n-0+deb11u4
  From: openssl@1.1.1n-0+deb11u4 > openssl/libssl1.1@1.1.1n-0+deb11u4
  From: kmod@28-1 > openssl/libssl1.1@1.1.1n-0+deb11u4
  and 2 more...
  Fixed in: 1.1.1n-0+deb11u5

✗ High severity vulnerability found in openssl/libssl1.1
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-5661566
  Introduced through: openssl/libssl1.1@1.1.1n-0+deb11u4, openssl@1.1.1n-0+deb11u4, kmod@28-1
  From: openssl/libssl1.1@1.1.1n-0+deb11u4
  From: openssl@1.1.1n-0+deb11u4 > openssl/libssl1.1@1.1.1n-0+deb11u4
  From: kmod@28-1 > openssl/libssl1.1@1.1.1n-0+deb11u4
  and 2 more...
  Fixed in: 1.1.1n-0+deb11u5

We need it remediated asap to keep infosec happy

@i5haan i5haan changed the title Open ssl CVE present in node dns 1.22.20 Open ssl CVE present in node cache 1.22.20 Jun 21, 2023
@dpasiukevich
Copy link
Member

Thanks,

There are already newer images. Could you check 1.22.21?
There's also 1.22.22 tag, but it's not promoted so the image is not yet in the registry.

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

1.22.21 also has the same CVE's mentioned. Like you mentioned 1.22.22 is not accessible.

I doubt that 1.22.22 doesn't have the CVE because the base images that are used to build(gcr.io/gke-release/distroless-iptables:v0.2.4-gke.2@sha256:de81db8d3d8d61fcc13bae7b8d4b1ca1248f8e88356e500e7cd9f3f9a1d35cf4 and gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) have the CVEs in them.
https://github.com/kubernetes/dns/blob/1.22.22/rules.mk#LL34C14-L34C119

If you could provide me the newer base images that I can use, I would be happy to contribute. I am unable to list latest tags.

@dpasiukevich
Copy link
Member

Hmm, does the static-debian has the vulnerability? AFAIK it should have no ssl libs.
Could you check the latest image?
gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e

Maybe base-debian is affected? As it should have the ssl libs.

As for the distroless-iptables let me ask, maybe there's soon a fixed version be released.

And thanks for the report!

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

My bad, yes, gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e is green(0 known CVE), only the ditsroless-iptables requires update.

What open sourced repo is distroless-iptables part of?

@dpasiukevich
Copy link
Member

I've checked with the maintainers of the image. gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 has the fix already.

@i5haan could you help to check if the base-debian is affected?

And then to make a PR for both images (or only one if needed)? I'd approve and release a new tag.

Thanks!

@dpasiukevich
Copy link
Member

Latest base-debian is: gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

Thanks for sharing providing these images.
For the distroless-iptables, gcr.io/gke-release/distroless-iptables:v0.2.4-gke.7 does not have any critical/high/medium CVEs, but does has low CVEs.

For the base image, gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d has some low CVEs, but the one already checked in the code(gcr.io/distroless/static-debian11@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e) has 0 CVEs(no low as well).

I will only update the distroless-iptables.

@dpasiukevich
Copy link
Member

I'm just thinking, if we're updating distroless-iptables, then updating the base-debian to the latest won't hurt as well.

Could you please include the

Uploaded Jun 17, 2023, 2:19:59 PM
gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

at

BASEIMAGE ?= gcr.io/distroless/base-debian11@sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d

In the PR as well?

@dpasiukevich
Copy link
Member

dpasiukevich commented Jun 21, 2023

Oh, wait, the hash is the same for the base-debian. Yep, only distroless-iptables are for the update.

@i5haan
Copy link
Contributor Author

i5haan commented Jun 21, 2023

Thanks for the approval! After the commit, when does it get released?

k8s-ci-robot added a commit that referenced this issue Jun 21, 2023
@dpasiukevich
Copy link
Member

I've pushed the tag, we will promote the images to the k8s registry today-tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants