CVE-2010-0834

[Vkad00]

We are observing CVE-2010-0834 in azure AKS clusters running on 1.26.3 version. This is not running on a local machine but shows a vulnerability for dell laptops.

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Registry | Repository | Tag | Id | Distro | Hosts | Layer | CVE ID | Compliance ID | Type | Severity | Packages | Source Package | Package Version | Package License | CVSS | Fix Status | Fix Date | Grace Days | Risk Factors | Vulnerability Tags | Description -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- mcr.microsoft.com | oss/kubernetes/kube-proxy | v1.26.3-hotfix.20230509.1 | sha256:3a0056c7e5d9eab3200fc0b6f39145f424e5ed2457ade64713842de28b8cdca1 | debian-bullseye | 2 |   | CVE-2010-0834 | 46 | OS | unimportant | base-files |   | 11.1+deb11u5 | GPL | 9.3 | fixed in 11.1+deb11u7 | 23:00.0 |   | Attack vector: network, Has fix, Remote execution | The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle attackers to execute arbitrary code via a crafted package. mcr.microsoft.com | oss/kubernetes-csi/livenessprobe | v2.10.0 | sha256:a0a744de06b9862ee665fcf47a17ec3425f67915a2e603f5636f6eba17378c7e | debian-bullseye | 2 |   | CVE-2010-0834 | 46 | OS | unimportant | base-files |   | 11.1+deb11u6 | GPL | 9.3 | fixed in 11.1+deb11u7 | 23:00.0 |   | Attack vector: network, Has fix, Remote execution | The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle attackers to execute arbitrary code via a crafted package. mcr.microsoft.com | oss/kubernetes-csi/csi-node-driver-registrar | v2.8.0 | sha256:aa15d611f49d8331e2266cf02d8f5fb0d32caad598897433fbd46234b88ebaf4 | debian-bullseye | 2 |   | CVE-2010-0834 | 46 | OS | unimportant | base-files |   | 11.1+deb11u6 | GPL | 9.3 | fixed in 11.1+deb11u7 | 23:00.0 |   | Attack vector: network, Has fix, Remote execution | The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle attackers to execute arbitrary code via a crafted package.

[mauriciopoppe]

The Kubernetes CSI community publishes a distroless image using https://github.com/kubernetes-csi/node-driver-registrar/blob/master/Dockerfile, maybe this problem is happening in images generated from the Microsoft pipeline? I don't think we see the vulnerability in our image

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[jsafrane]

/close Kubernetes node-driver-registrar images do not use Ubuntu as the base image. Please check with AKS support.

[k8s-ci-robot]

@jsafrane: Closing this issue.

In response to [this](https://github.com/kubernetes-csi/node-driver-registrar/issues/306#issuecomment-1916785663): >/close >Kubernetes node-driver-registrar images do not use Ubuntu as the base image. Please check with AKS support. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.