search

kubernetes / ingress-nginx

Ingress NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.4k stars 8.24k forks source link

Cover CVE‑2021‑3618 #8487

Closed dustin-bo closed 1 year ago

dustin-bo commented 2 years ago

We need a version without the vulnerability CVE‑2021‑3618. The vulnerability seems to be fixed in Nginx starting with release 1.21.0. Since none of the Ingress-Nginx versions use those releases all versions seem to be vulnerable.

longwuyuan commented 2 years ago

The project built a beta with some fixes. Certain reported CVEs got fixed but this CVE is not visible in a grype scan ;

% grype k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0-beta.0@sha256:5344d8367295be743703f19eea137e7a3253efc2d0ec8aee131b85d3258f9780 ✔ Vulnerability DB [no update available] ✔ Parsed image
✔ Cataloged packages [127 packages] ✔ Scanned image [3 vulnerabilities] [0018] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY flock 2.37.4-r0 apk CVE-2010-3262 Medium
google.golang.org/protobuf v1.28.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.28.0 go-module CVE-2015-5237 High

longwuyuan commented 2 years ago

I think there is a open issue that states at least need of protection from at least one similar sounding threat. They had mentioned certs with multiple domains or similar use-cases. In any case this threat says ;

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

Have not seen if the patch is back ported to nginx v1.19.10 and that is related because our base images uses it.

We can address is when enough info is available against a future release.

rikatz commented 2 years ago

Apparently openresty is working in a v1.21 nginx compatible release. As soon as this is released, we can start thinking on having nginx v1.21 as Ingress base.

@tao12345666333 thoughts?

tao12345666333 commented 2 years ago

Apparently openresty is working in a v1.21 nginx compatible release. As soon as this is released, we can start thinking on having nginx v1.21 as Ingress base.

Yes, I'm asking about the release cycle for the next version of OpenResty

svenbuerger commented 2 years ago

Are there any plans to implement a fix for this CVE in the forseeable future?

rikatz commented 2 years ago

@svenbuerger we are just discussing this, but want some help, if someone can send a PR :)

strongjz commented 2 years ago

/priority critical-urgent /triage accepted

strongjz commented 2 years ago

I do not see this in recent trivy scans for 1.3.0, 1.2.1 or 1.2.0

@dustin-bo what scanner did you use to get his result?

chaosun-abnormalsecurity commented 2 years ago

Any update on this please? Thanks! BTW, looks like the latest Openresty has upgraded Nginx core to 1.21 https://openresty.org/en/ann-1021004001.html

strongjz commented 2 years ago

It looks like there is an openrusty version,1.21.4.1, that supports 1.21

Based on a very recent mainline NGINX core 1.21.4

https://openresty.org/en/ann-1021004001.html

Is that what we need to use to update? @tao12345666333 @rikatz

tao12345666333 commented 2 years ago

yes! I'm working on this

strongjz commented 2 years ago

@tao12345666333 can we discuss this for tomorrow's community meeting?

tao12345666333 commented 2 years ago

yes!

grosser commented 2 years ago

is there some branch we could try or any alpha version of an updated nginx ?

longwuyuan commented 2 years ago

Not yet but its being worked on. Wait for updates from @tao12345666333

tao12345666333 commented 2 years ago

I think I can handle it this week

nikhilthakre commented 1 year ago

Was this included as part of the latest v1.5.1 release? Thanks

longwuyuan commented 1 year ago

Please check nginx version in controller image. Do you use ingress for IMAP/pop/SMTP ports ?

On Mon, 14 Nov, 2022, 5:21 pm Nikhil Thakare, @.***> wrote:

Was this included as part of the latest v1.5.1 release?

— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/8487#issuecomment-1313560632, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWSXQ4YBXCWEHIWXLZDWIIRTZANCNFSM5TYTEY5A . You are receiving this because you commented.Message ID: @.***>

strongjz commented 1 year ago

I dont see this come up in the Vulnerability scan for 1.5.2

https://github.com/kubernetes/ingress-nginx/actions/runs/3803822443/attempts/1#summary-10357554200

/close

k8s-ci-robot commented 1 year ago

@strongjz: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/8487#issuecomment-1367655820): >I dont see this come up in the Vulnerability scan for 1.5.2 > >https://github.com/kubernetes/ingress-nginx/actions/runs/3803822443/attempts/1#summary-10357554200 > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.