search

kubernetes-sigs / vsphere-csi-driver

vSphere storage Container Storage Interface (CSI) plugin
https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/index.html
Apache License 2.0
295 stars 181 forks source link

Rebuild base images at release time to fix CVEs #2768

Closed dkoshkin closed 5 months ago

dkoshkin commented 10 months ago

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug /kind feature

What happened: The base image gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest used by the driver and syncer has some CRITICAL and HIGH CVEs.

CVEs in gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest ```text gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest (photon 4.0) ======================================================================= Total: 11 (HIGH: 8, CRITICAL: 3) ┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ curl │ CVE-2023-38545 │ CRITICAL │ fixed │ 8.1.2-2.ph4 │ 8.1.2-6.ph4 │ curl: heap based buffer overflow in the SOCKS5 proxy │ │ │ │ │ │ │ │ handshake │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38545 │ │ ├────────────────┼──────────┤ │ ├───────────────┼────────────────────────────────────────────────────────┤ │ │ CVE-2023-38039 │ HIGH │ │ │ 8.1.2-5.ph4 │ curl: out of heap memory issue due to missing limit on │ │ │ │ │ │ │ │ header... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38039 │ ├─────────────┼────────────────┼──────────┤ │ ├───────────────┼────────────────────────────────────────────────────────┤ │ curl-libs │ CVE-2023-38545 │ CRITICAL │ │ │ 8.1.2-6.ph4 │ curl: heap based buffer overflow in the SOCKS5 proxy │ │ │ │ │ │ │ │ handshake │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38545 │ │ ├────────────────┼──────────┤ │ ├───────────────┼────────────────────────────────────────────────────────┤ │ │ CVE-2023-38039 │ HIGH │ │ │ 8.1.2-5.ph4 │ curl: out of heap memory issue due to missing limit on │ │ │ │ │ │ │ │ header... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38039 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ glibc │ CVE-2023-5156 │ │ │ 2.32-11.ph4 │ 2.32-14.ph4 │ glibc: DoS due to memory leak in getaddrinfo.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5156 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ libssh2 │ CVE-2020-22218 │ │ │ 1.10.0-1.ph4 │ 1.11.0-1.ph4 │ libssh2: use-of-uninitialized-value in │ │ │ │ │ │ │ │ _libssh2_transport_read │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-22218 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ nss-libs │ CVE-2023-0767 │ │ │ 3.72-3.ph4 │ 3.72-4.ph4 │ Arbitrary memory write via PKCS 12 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0767 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ openssl │ CVE-2023-4807 │ │ │ 3.0.9-5.ph4 │ 3.0.9-6.ph4 │ POLY1305 MAC implementation corrupts XMM registers on │ │ │ │ │ │ │ │ Windows │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4807 │ │ ├────────────────┤ │ │ ├───────────────┼────────────────────────────────────────────────────────┤ │ │ CVE-2023-5363 │ │ │ │ 3.0.9-7.ph4 │ openssl: Incorrect cipher key and IV length processing │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5363 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ sqlite-libs │ CVE-2023-7104 │ │ │ 3.38.5-2.ph4 │ 3.38.5-4.ph4 │ sqlite: heap-buffer-overflow at sessionfuzz │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-7104 │ ├─────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤ │ zlib │ CVE-2023-45853 │ CRITICAL │ │ 1.2.11-5.ph4 │ 1.2.11-6.ph4 │ zlib: integer overflow and resultant heap-based buffer │ │ │ │ │ │ │ │ overflow in zipOpenNewFileInZip4_6 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45853 │ └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘ ```

I've rebuilt the base image from main and it had 0 Critical/High CVEs.

CVEs in gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab ```text gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab (photon 4.0) ========================================================================= Total: 0 (HIGH: 0, CRITICAL: 0) ```

What you expected to happen: Can we consider rebuilding the base image on every release, somewehre in https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/hack/release.sh ?

How to reproduce it (as minimally and precisely as possible):

Check CVEs:

trivy image --severity HIGH,CRITICAL gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest

Anything else we need to know?:

I would happy to work on this if someone can point me in the right direction.

Environment:

divyenpatel commented 10 months ago

@dkoshkin thanks for reporting this issue.

We have just re-built the base driver image and pushed it as latest.

% make build
docker build -t gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab --build-arg GIT_COMMIT=100d56ab76bbde05b4795d1e675952c9307f13f8 .
[+] Building 9.5s (7/7) FINISHED                                                                                                                                            
 => [internal] load build definition from Dockerfile                                                                                                                   0.0s
 => => transferring dockerfile: 866B                                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/photon:4.0                                                                                                          3.0s
 => [auth] library/photon:pull token for registry-1.docker.io                                                                                                          0.0s
 => [1/2] FROM docker.io/library/photon:4.0@sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb                                                    1.1s
 => => resolve docker.io/library/photon:4.0@sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb                                                    0.0s
 => => sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb 547B / 547B                                                                             0.0s
 => => sha256:acdab5c315d9e9a5b7252df305dffcfe5686800a338d89e198bf93f49beefe07 529B / 529B                                                                             0.0s
 => => sha256:62c1f7f929000cae58792dc957c9b58ba9ddf2b3f0abe96baed46a64557a94be 1.81kB / 1.81kB                                                                         0.0s
 => => sha256:a64791008645b453a3573695334dda7a049fa567cf2642a50b11a0bc0e5a3562 16.17MB / 16.17MB                                                                       0.8s
 => => extracting sha256:a64791008645b453a3573695334dda7a049fa567cf2642a50b11a0bc0e5a3562                                                                              0.3s
 => [2/2] RUN tdnf -y upgrade && tdnf clean all                                                                                                                        5.3s
 => exporting to image                                                                                                                                                 0.0s
 => => exporting layers                                                                                                                                                0.0s
 => => writing image sha256:9bb548f40ac2f75793ff27dfe2ca61f67287dd19a9f3ffc7278c60aa7c7e8843                                                                           0.0s
 => => naming to gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab                                                                                          0.0s
docker tag gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest
 % make push
logging into gcr.io registry with gcloud auth helper
docker push gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab
The push refers to repository [gcr.io/cloud-provider-vsphere/extra/csi-driver-base]
d38a254ea51a: Pushed 
9efa0a363efe: Pushed 
100d56ab: digest: sha256:14a36f13eca60e7ad130af4494c8723e11b304d7a2621bc920be0a42fd9b93aa size: 736
docker push gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest
The push refers to repository [gcr.io/cloud-provider-vsphere/extra/csi-driver-base]
d38a254ea51a: Layer already exists 
9efa0a363efe: Layer already exists 
latest: digest: sha256:14a36f13eca60e7ad130af4494c8723e11b304d7a2621bc920be0a42fd9b93aa size: 736
dkoshkin commented 10 months ago

Thanks @divyenpatel, just verified and see it

trivy image --severity HIGH,CRITICAL gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest
2024-01-22T15:09:45.478-0800    INFO    Vulnerability scanning is enabled
2024-01-22T15:09:45.478-0800    INFO    Secret scanning is enabled
2024-01-22T15:09:45.478-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-22T15:09:45.478-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-22T15:09:47.955-0800    INFO    Detected OS: photon
2024-01-22T15:09:47.955-0800    INFO    Detecting Photon Linux vulnerabilities...
2024-01-22T15:09:47.957-0800    INFO    Number of language-specific files: 0

gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest (photon 4.0)

Total: 0 (HIGH: 0, CRITICAL: 0)

What the cadence of these being rebuilt? Any way to make it automated so that new releases pick up the CVE fixes?

divyenpatel commented 10 months ago

What the cadence of these being rebuilt?

We do re-build on every major new release.

Any way to make it automated so that new releases pick up the CVE fixes?

We are thinking to merging it with driver and syncer image so we don't need to worry about rebuilding base image for every release.

dkoshkin commented 10 months ago

We are thinking to merging it with driver and syncer image so we don't need to worry about rebuilding base image for every release.

👍 That makes sense to me @divyenpatel, please let me know if I can help with that effort.

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 6 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 5 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/vsphere-csi-driver/issues/2768#issuecomment-2181789029): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.