ktsakalozos
commented
1 year ago Hi @maxshlain thank you for pointing out these issues. We have introduced checks that surface these issues and we are addressing them as we move forward.
Open maxshlain opened 1 year ago
ktsakalozos
commented
1 year ago Hi @maxshlain thank you for pointing out these issues. We have introduced checks that surface these issues and we are addressing them as we move forward.
maxshlain
commented
1 year ago Hi @ktsakalozos ! Thanks for the response. Can you please share with us more details about your plans? We are trying to reduce the number of known CVEs in our clusters. So before going to mess with microk8s internal containers we wanted to know if these issues are going to be addressed anytime soon.
ktsakalozos
commented
1 year ago Hi @maxshlain,
Every PR triggers a job that scans for vulnerabilities the repository of the project, the produced charm and some container core images.
Any CVEs that have to do with the base system used in the snap are addressed when Ubuntu addresses them.
CVEs related to k8s services are addressed by the upstream project, and we package them and release them in patch releases. Patch releases are (unless the users has disabled snap refreshes) applied transparently to the user when the snap refreshes.
Issues we find in workload containers are normally addressed in the main branch (see for example the updates on coredns, ingress and metrics server [2]) and need to backported to the supported versions of MicroK8s. This backporting however needs to be done in a a manner that does not break any users and/or backwards compatibility.
So to your question, yes some of the CVEs have been addressed in the main branch but the backporting is lagging behind.
[1] Scanning job: https://github.com/canonical/microk8s/blob/master/.github/workflows/build-snap.yml#L195 [2] https://github.com/canonical/microk8s/blob/master/.github/workflows/build-snap.yml#L195
ISAF87
commented
11 months ago Does the same apply for the microk8s addons? eg Grafana in the observability addon?
stale[bot]
commented
1 week ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Summary
Internal containers have long pending security CVEs: nginx, hostpath-provisioner, coredns Installed version: MicroK8s v1.27.2 revision 5372
What Should Happen Instead?
Use latest containers that have no high-severity security CVEs open
Reproduction Steps
Observe scanner report:
container nginx has vulnerable packages
severity: critical
package name: libcurl
current version: 7.83.1-r4
fixed version: 7.83.1-r6, 8.1.0-r0
NVD - CVE-2023-23914
NVD - CVE-2023-28322
wiz suggested remediation: apk upgrade libcurl
==================================================================================
package name: curl
current version: 7.83.1-r4
fixed version: 7.83.1-r6, 8.1.0-r0
NVD - CVE-2023-23914
NVD - CVE-2023-28322
wiz suggested remediation: apk upgrade curl
===================================================================================
severity: high
package name: libcurl
current version: 7.83.1-r4
fixed version: 7.83.1-r6, 8.1.0-r0
NVD - CVE-2023-28321
NVD - CVE-2023-28319
NVD - CVE-2023-23916
NVD - CVE-2023-27536
NVD - CVE-2023-27535
NVD - CVE-2023-27533
NVD - CVE-2023-27534
NVD - CVE-2022-43551
wiz suggested remediation: apk upgrade libcurl
===================================================================================
package name: curl
current version: 7.83.1-r4
fixed version: 7.83.1-r6, 8.1.0-r0
NVD - CVE-2023-28321
NVD - CVE-2023-28319
NVD - CVE-2023-23916
NVD - CVE-2023-27536
NVD - CVE-2023-27535
NVD - CVE-2023-27533
NVD - CVE-2023-27534
NVD - CVE-2022-43551
wiz suggested remediation: apk upgrade curl
===================================================================================
package name: cpe:2.3:a:f5:nginx
current version: 1.21.6
fixed version: 1.22.1
cve-details
NVD - CVE-2022-41742
wiz suggested remediation: none
===================================================================================
package name: github.com/opencontainers/runc
current version: 1.1.4
fixed version: 1.1.5
NVD - CVE-2023-27561
wiz suggested remediation: go get -u github.com/opencontainers/runc
===================================================================================
package name: golang.org/x/net
current version: 0.1.0
fixed version: 0.7.0, 0.1.1-0.20221104162952-702349b0e862
NVD - CVE-2022-41723
NVD - CVE-2022-41721
wiz suggested remediation: go get -u golang.org/x/net
===================================================================================
package name: libcrypto1.1
current version: 1.1.1s-r0
fixed version: 1.1.1t-r0, 1.1.1u-r0
NVD - CVE-2023-0215
NVD - CVE-2023-0286
NVD - CVE-2023-2650
NVD - CVE-2022-4450
NVD - CVE-2023-0464
wiz suggested remediation: apk upgrade libcrypto1.1
===================================================================================
package name: libssl1.1
current version: 1.1.1s-r0
fixed version: 1.1.1t-r0, 1.1.1u-r0, 1.1.1t-r1
NVD - CVE-2023-0215
NVD - CVE-2023-0286
NVD - CVE-2023-2650
NVD - CVE-2022-4450
NVD - CVE-2023-0464
wiz suggested remediation: apk upgrade libssl1.1
===================================================================================
package name: ncurses-libs
current version: 6.3_p20220521-r0
fixed version: 6.3_p20220521-r1
NVD - CVE-2023-29491
wiz suggested remediation: apk upgrade ncurses-libs
===================================================================================
package name: ncurses-terminfo-base
current version: 6.3_p20220521-r0
fixed version: 6.3_p20220521-r1
NVD - CVE-2023-29491
wiz suggested remediation: apk upgrade ncurses-terminfo-base
===================================================================================
package name: openssl
current version: 1.1.1s-r0
fixed version: 1.1.1t-r0, 1.1.1u-r0, 1.1.1t-r1
NVD - CVE-2023-0215
NVD - CVE-2023-0286
NVD - CVE-2023-2650
NVD - CVE-2022-4450
NVD - CVE-2023-0464
wiz suggested remediation: apk upgrade openssl
===================================================================================
fix date: 01/24/2023
due date: 16.10.2023
Dmitrey Gurevich July 6, 2023 at 7:56 AM Edited
container hostpath-provisioner has vulnerable packages
severity: high
path: /hostpath-provisioner
package name: github.com/prometheus/client_golang
current version: 1.11.0
fixed version: 1.11.1
NVD - cve-2022-21698
wiz suggested remediation: go get -u github.com/prometheus/client_golang
==================================================================================
package name: golang.org/x/net
current version: 0.0.0-20220114011407-0dd24b26b47d
fixed version: 0.0.0-20220906165146-f3363e06e74c, 0.7.0
NVD - cve-2022-27664
NVD - cve-2022-41723
wiz suggested remediation: go get -u golang.org/x/net
==================================================================================
package name: golang.org/x/text
current version: 0.3.7
fixed version: 0.3.8
NVD - CVE-2022-32149
wiz suggested remediation: go get -u golang.org/x/text
==================================================================================
package name: gopkg.in/yaml.v3
current version: 3.0.0-20210107192922-496545a6307b
fixed version: 3.0.0-20220521103104-8f96da9f5d5e
NVD - CVE-2022-28948
wiz suggested remediation: go get -u gopkg.in/yaml.v3
===================================================================================
fix date: 16.05.2023
due date: 16.09.2023
Dmitrey Gurevich July 6, 2023 at 7:19 AM Edited
Wiz container scan 28.06.23 https://hpe.sharepoint.com/:x:/s/Engineering/ESnwnCkacmJPiMv92-5F7DYB2aTPGseD5g9GCfityPLkKA?e=y0tcot - Connect your OneDrive account
container coredns has vulnerable packages
severity: high
path: /coredns
package name: golang.org/x/net
current version: 0.0.0-20220722155237-a158d28d115b
NVD - cve-2022-27664
fixed version: 0.0.0-20220906165146-f3363e06e74c
NVD - CVE-2022-32149
fixed version: 0.1.1-0.20221104162952-702349b0e862
NVD - cve-2022-41723
fixed version: 0.7.0
wiz suggested remediation: go get -u golang.org/x/net
======================================================================
package name: golang.org/x/text
NVD - CVE-2022-32149
current version: 0.3.7
fixed version: 0.3.8
wiz suggested remediation: go get -u golang.org/x/text
======================================================================
Introspection Report
inspection-report-20230717_141007.tar.gz