jhunt
commented
4 years ago For the record, the CVE impacting Flannel is CVE-2019-14697.
There's no real detail in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697, but the GLSA for it does: https://security.gentoo.org/glsa/202003-13. Specifically, it says:
A flaw in musl libc’s arch-specific math assembly code for i386 was found which can lead to x87 stack overflow in the execution of subsequent math code.
It seems like there's already a fix available, in musl-1.1.24 and beyond. Here's what the release notes from musl say:
This version adds the GLOB_TILDE extension for glob, a non-stub implementation of the catgets localization API, and posix_spawn extensions for chdir in the child. Many arch-specific bugs are fixed, some serious, including CVE-2019-14697 affecting several math functions only on i386, broken riscv64 atomics, broken lseek with large offsets on x32 and mipsn32, and broken setjmp/longjmp on mipsr6. Various low-severity, non-arch-specific bugs are also fixed.
While I 💯 support updating Flannel when it needs it, I don't know how many i386 BOSH deployments of Kubernetes we're doing...
Flannel docker image needs to be updated as soon as the flannel image with fix CVE is released.
see https://quay.io/repository/coreos/flannel?tag=v0.10.0-amd64&tab=tags
https://github.com/jhunt/k8s-boshrelease/blob/2a771c749900d96fb5999314f80602fdcbffb6ae/jobs/net-flannel/templates/k8s-init/flannel.yml#L123