search

containernetworking / plugins

Some reference and example networking plugins, maintained by the CNI team.
Apache License 2.0
2.19k stars 780 forks source link

Need to rebuild the plugin binary with newer version of Go to resolve the CVEs #1033

Closed oilbeater closed 4 months ago

oilbeater commented 5 months ago

The binaries for plugins v1.4.1 were built with Go 1.21.7, which has been found to have 1 HIGH CVE and 5 MEDIUM CVEs. A newer version of Go 1.21.9 or 1.22.2 can resolve these CVEs.

I think there is no need to change the code, the action code here: https://github.com/containernetworking/plugins/blob/670139cffa3075aa42f08c8f1dc2257396205a54/.github/workflows/release.yaml#L19 will automatically use the Go with version v1.21.9 when a new build is triggered.

portmap (gobinary)
==================

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.7            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│         ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│         │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│         │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│         │                │          │        │                   │                │ unknown public key algorithm...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│         │                │          │        │                   │                │ handled                                                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-[202](https://github.com/kubeovn/kube-ovn/actions/runs/8966434654/job/24625020817#step:8:203)4-24784                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│         │                │          │        │                   │                │ methods may break template escaping                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
antoninbas commented 4 months ago

Looks like in response to #1019, release artifacts for 1.4.1 were rebuilt (see https://github.com/containernetworking/plugins/issues/1019#issuecomment-2110423038) with a more recent version of Go (1.22.3), so the binaries should no longer be "affected" by these CVEs.

I personally don't think that mutating release artifacts is a good idea (see also https://github.com/containernetworking/plugins/issues/1038), as now there are 2 distinct versions of the "1.4.1" binaries out there. A lot of dependent build processes may rightfully assume that for a given tag, the binaries won't change. But it's done now...

So this issue can probably be closed given that the current binaries were built with Go 1.22.3.

oilbeater commented 4 months ago

Looks like v1.5.0 has already resolve this issue, thanks!