SeldonIO / seldon-core

An MLOps framework to package, deploy, monitor and manage thousands of production machine learning models
https://www.seldon.io/tech/products/core/
Other
4.4k stars 832 forks source link

TLS and Cipher vulnerabilities reported in seldon webhook #4923

Open chidambaranathan-r opened 1 year ago

chidambaranathan-r commented 1 year ago

Describe the bug

We found below vulnerabilities while scanning seldon core 1.16.0 deployed on Kubernetes 1.24.X version using Tenable-SC

Issue 1:

TLS version 1.0 and 1.1 protocol detection in webhook port of seldon

Plugin ID: 104743
Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

Plugin ID: 121010
Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.

Issue 2:

SSL Medium strength cipher suites supported (SWEET32) in webhook port of seldon

Plugin ID: 42873
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name                          Code             KEX           Auth     Encryption             MAC
---------------------        ----------       ---           ----     ---------------------  ---
ECDHE-RSA-DES-CBC3-SHA 0xC0, 0x12 ECDH RSA 3DES-CBC(168) SHA1
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1

The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

We looked at the seldon core operator code and could not find any configuration to set the minimum TLS version. Could you please guide us on the above so that we can set the minimum TLS version >=1.2?

To reproduce

  1. Install seldon core
  2. Scan with Tenable-SC tool or any other tool that can detect TLS version anomalies.

Expected behaviour

There should be a configuration option that allows to configure the minimum TLS version and cipher suites

Environment

K8s 1.24

ukclivecox commented 1 year ago

The certificate for webhooks is generated via the genCA function in Helm ( see here ) which itself uses the Sprig library.

We would recommend asking for updates via these contributors but for production settings you should use tools such as certManager which can generate the required Secret.

ramanNarasimhan77 commented 1 year ago

@cliveseldon Our understanding is that this is related to configuration of TLSOpts for Seldon webhook and not how the certificate is generated.

See TLSOpts

If nothing is set, then it defaults to TLS 1.0 Flow of control: Server start calls tlsVersion

ukclivecox commented 1 year ago

Options to set this are exposed by this PR in controller-runtime. This became available in 0.13.1 of controller-runtime so would need to upgrade to this version and expose envar/command line args to allow this value(s) to be set.

chidambaranathan-r commented 1 year ago

@cliveseldon Actually, this is added as "To do" for 1.17.0 Any plans to consider this in upcoming releases?