search

Gal-Doron / operator-registry

Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.
Apache License 2.0
0 stars 0 forks source link

k8s.io/apiextensions-apiserver-v0.22.1: 4 vulnerabilities (highest severity is: 7.5) #3

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - k8s.io/apiextensions-apiserver-v0.22.1

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (k8s.io/apiextensions-apiserver-v0.22.1 version) Remediation Possible**
CVE-2023-47108 High 7.5 github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0 Transitive N/A*
CVE-2023-45142 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2023-44487 High 7.5 github.com/kubernetes/apiserver-v0.22.1 Transitive N/A*
CVE-2022-21698 High 7.5 github.com/prometheus/client_golang-v1.11.0 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-47108 ### Vulnerable Library - github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0

Collection of extensions for OpenTelemetry-Go.

Library home page: https://proxy.golang.org/github.com/open-telemetry/opentelemetry-go-contrib/@v/v0.20.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - k8s.io/apiextensions-apiserver-v0.22.1 (Root Library) - github.com/kubernetes/apiserver-v0.22.1 - k8s.io/component-base-v0.22.1 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0 - :x: **github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

Publish Date: 2023-11-10

URL: CVE-2023-47108

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw

Release Date: 2023-11-10

Fix Resolution: v0.46.0

CVE-2023-45142 ### Vulnerable Libraries - github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0, go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0

### github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0

Collection of extensions for OpenTelemetry-Go.

Library home page: https://proxy.golang.org/github.com/open-telemetry/opentelemetry-go-contrib/@v/v0.20.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - k8s.io/apiextensions-apiserver-v0.22.1 (Root Library) - github.com/kubernetes/apiserver-v0.22.1 - k8s.io/component-base-v0.22.1 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0 - :x: **github.com/open-telemetry/opentelemetry-go-contrib-v0.20.0** (Vulnerable Library) ### go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - k8s.io/apiextensions-apiserver-v0.22.1 (Root Library) - github.com/kubernetes/apiserver-v0.22.1 - k8s.io/component-base-v0.22.1 - :x: **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

Publish Date: 2023-10-12

URL: CVE-2023-45142

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr

Release Date: 2023-10-12

Fix Resolution: instrumentation/net/http/otelhttp/v0.44.0

CVE-2023-44487 ### Vulnerable Library - github.com/kubernetes/apiserver-v0.22.1

Library for writing a Kubernetes-style API server.

Library home page: https://proxy.golang.org/github.com/kubernetes/apiserver/@v/v0.22.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - k8s.io/apiextensions-apiserver-v0.22.1 (Root Library) - :x: **github.com/kubernetes/apiserver-v0.22.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

CVE-2022-21698 ### Vulnerable Library - github.com/prometheus/client_golang-v1.11.0

Prometheus instrumentation library for Go applications

Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.11.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - k8s.io/apiextensions-apiserver-v0.22.1 (Root Library) - github.com/kubernetes/apiserver-v0.22.1 - k8s.io/component-base-v0.22.1 - :x: **github.com/prometheus/client_golang-v1.11.0** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.