search

k3s-io / k3s

Lightweight Kubernetes
https://k3s.io
Apache License 2.0
27.76k stars 2.33k forks source link

Upgrade busybox to 3.6.1 #10452

Closed alopukhov closed 2 months ago

alopukhov commented 3 months ago

Please consider upgrading busybox to v3.6.1 and/or upgrading buildroot to newer version.

Currently k3s ships busybox based on version 3.5.0 which if affected by https://nvd.nist.gov/vuln/detail/CVE-2022-30065 https://nvd.nist.gov/vuln/detail/CVE-2022-28391

~Current upstream buildroot version (2022.08.1) includes patches for this CVEs.~ (buildroot 2022.08.1 does not include patches) ~Despite that some~ vulnerability scanners (e.g. Aqua) marks k3s busybox binary as affected by them. More than that they marks them as High Severity CVEs. That is quite uncomfortable as it requires manual checks for newer k3s versions.

I'm not avare about CVE-2022-28391 (https://bugs.busybox.net/show_bug.cgi?id=15001) CVE-2022-30065 is fixed in busybox v3.6.1 according to https://busybox.net/

Upsteam buildroot upgraded busybox to version 3.6.1 since https://gitlab.com/buildroot.org/buildroot/-/commit/a7e4f557f5c5874c84d6ae2e28d752603e18ab3f about year ago.

zhangguanzhang commented 3 months ago 
go.mod (gomod)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬──────────┬─────────────────────┬─────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │  Status  │  Installed Version  │        Fixed Version        │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼──────────┼─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                                     │ CVE-2024-29018 │ MEDIUM   │ fixed    │ 25.0.4+incompatible │ 26.0.0-rc3, 25.0.5, 23.0.11 │ moby: external DNS requests from 'internal' networks could  │
│                                                              │                │          │          │                     │                             │ lead to data exfiltration...                                │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-29018                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          │          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-retryablehttp                        │ CVE-2024-6104  │          │          │ 0.7.4               │ 0.7.7                       │ go-retryablehttp: url might write sensitive information to  │
│                                                              │                │          │          │                     │                             │ log file                                                    │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-6104                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │          │ 0.45.0              │ 0.46.0                      │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │          │                     │                             │ to unbound cardinality metrics                              │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net                                             │ CVE-2023-45288 │ MEDIUM   │          │ 0.17.0              │ 0.23.0                      │ golang: net/http, x/net/http2: unlimited number of          │
│                                                              │                │          │          │                     │                             │ CONTINUATION frames causes DoS                              │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          ├──────────┼─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2                                   │ CVE-2024-28180 │          │ affected │ 2.6.0               │                             │ jose-go: improper handling of highly compressed data        │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-28180                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴──────────┴─────────────────────┴─────────────────────────────┴─────────────────────────────────────────────────────────────┘
alopukhov commented 3 months ago

Unforunatelly I can't attach Aqua report. grype report below

> docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock --name Grype anchore/grype:latest -v rancher/k3s:v1.30.2-k3s2-amd64
[0000]  INFO grype version: 0.79.2
[0000]  INFO downloading new vulnerability DB
[0021]  INFO downloaded new vulnerability DB version=5 built="2024-07-05 01:30:56 +0000 UTC"
[0022]  WARN unable to determine linux distribution: unable to determine distro type
[0022]  INFO found 16 vulnerability matches across 437 packages
NAME                                                                         INSTALLED             FIXED-IN  TYPE       VULNERABILITY        SEVERITY
busybox                                                                      1.35.0                          binary     CVE-2022-30065       High
busybox                                                                      1.35.0                          binary     CVE-2022-28391       High
github.com/docker/docker                                                     v25.0.4+incompatible  25.0.5    go-module  GHSA-mq39-4gv4-mvpx  Medium
github.com/hashicorp/go-retryablehttp                                        v0.7.4                0.7.7     go-module  GHSA-v6v8-xj6m-xwqh  Medium
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.45.0               0.46.0    go-module  GHSA-8pgv-569h-w5rw  High
golang.org/x/net                                                             v0.17.0               0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
golang.org/x/net                                                             v0.8.0                0.17.0    go-module  GHSA-4374-p667-p6c8  High
golang.org/x/net                                                             v0.8.0                0.17.0    go-module  GHSA-qppj-fm5r-hxr3  Medium
golang.org/x/net                                                             v0.8.0                0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
golang.org/x/net                                                             v0.8.0                0.13.0    go-module  GHSA-2wrh-6pvc-2jm9  Medium
google.golang.org/protobuf                                                   v1.27.1               1.33.0    go-module  GHSA-8r3f-844c-mc37  Medium
gopkg.in/square/go-jose.v2                                                   v2.6.0                          go-module  GHSA-c5q2-7r4c-mv6g  Medium
stdlib                                                                       go1.22.4                        go-module  CVE-2024-24791       Unknown
brandond commented 2 months ago

Current upstream buildroot version (2022.08.1) includes patches for this CVEs.

I'm curious about this assertion - we have been shipping buildroot 2022.08.1 for 2 years, since https://github.com/k3s-io/k3s-root/pull/54. Did you mean to link a different buildroot version - 2022.08.3 perhaps? I see that https://github.com/buildroot/buildroot/commits/2022.08.3/package/busybox does include fixes for both of the linked vulns.

alopukhov commented 2 months ago

Current upstream buildroot version (2022.08.1) includes patches for this CVEs.

I'm curious about this assertion - we have been shipping buildroot 2022.08.1 for 2 years, since k3s-io/k3s-root#54. Did you mean to link a different buildroot version - 2022.08.3 perhaps? I see that https://github.com/buildroot/buildroot/commits/2022.08.3/package/busybox does include fixes for both of the linked vulns.

My bad. Looked at 2022.08. You are right 2022.08.1 does not include patches.

VestigeJ commented 2 months ago

https://github.com/k3s-io/k3s/issues/10467#issuecomment-2240582083