search

k3s-io / kine

Run Kubernetes on MySQL, Postgres, sqlite, dqlite, not etcd.
Apache License 2.0
1.56k stars 233 forks source link

Security vulnerabilies with kine #153

Closed manasabsv26 closed 1 year ago

manasabsv26 commented 1 year ago

Trivy scan on the image(latest version: v0.9.8) shows that it has these following security vulnerabilities ( CVE-2022-21698, CVE-2022-27191, CVE-2021-44716, CVE-2022-27664, CVE-2021-38561, CVE-2022-32149):

trivy image  -s CRITICAL,HIGH --exit-code 22 rancher/kine:v0.9.8
2023-01-09T05:20:16.978Z    INFO    Vulnerability scanning is enabled
2023-01-09T05:20:16.978Z    INFO    Secret scanning is enabled
2023-01-09T05:20:16.978Z    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-09T05:20:16.978Z    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.1/docs/secret/scanning/#recommendation for faster secret detection
2023-01-09T05:20:17.861Z    INFO    Detected OS: alpine
2023-01-09T05:20:17.861Z    INFO    Detecting Alpine vulnerabilities...
2023-01-09T05:20:17.864Z    INFO    Number of language-specific files: 1
2023-01-09T05:20:17.864Z    INFO    Detecting gobinary vulnerabilities...

bin/kine (gobinary)

Total: 6 (HIGH: 6, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698 │ HIGH     │ v1.11.0                            │ 1.11.1                            │ prometheus/client_golang: Denial of service using           │
│                                     │                │          │                                    │                                   │ InstrumentHandlerCounter                                    │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-21698                  │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                 │ CVE-2022-27191 │ HIGH     │ v0.0.0-20220112180741-5e0467b6c7ce │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server           │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                  │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net                    │ CVE-2021-44716 │ HIGH     │ v0.0.0-20211112202133-69e39bad7dc2 │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization   │
│                                     │                │          │                                    │                                   │ cache                                                       │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                  │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net                    │ CVE-2022-27664 │ HIGH     │ v0.0.0-20211112202133-69e39bad7dc2 │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                  │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text                   │ CVE-2021-38561 │ HIGH     │ v0.3.6                             │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language    │
│                                     │                │          │                                    │                                   │ leads to DoS                                                │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                  │
│                                     ├────────────────┤          │                                    ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                     │ CVE-2022-32149 │          │                                    │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                                     │                │          │                                    │                                   │ takes a long time to parse complex tags                     │
│                                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
└─────────────────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Can these go packages be upgraded to their 'fixed versions'.

brandond commented 1 year ago

Most of these shouldn't affect Kine in it's normal use as the back-end for a Kubernetes cluster, since it should not be exposed to anything other than the Kubernetes apiserver. We can take a look at updating them at some point in the next release cycle though.