kube-state-metrics v2.10.1 CVE's

[krishnaindani]

What happened: Ran a twistlock scan on kube state metrics version v2.10.1 and found following vulnerabilities

id | status | cvss | description | severity | packageName | packageVersion | link -- | -- | -- | -- | -- | -- | -- | -- PRISMA-2022-0227 | fixed in v3.10.0 | 7.5 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | high | github.com/emicklei/go-restful/v3 | v3.9.0 | https://github.com/emicklei/go-restful/issues/497 CVE-2023-45285 | fixed in 1.21.5, 1.20.12 | 7.5 | Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). | high | go | 1.20.10 | https://nvd.nist.gov/vuln/detail/CVE-2023-45285 CVE-2023-45283 | fixed in 1.21.4, 1.20.11 | 7.5 | The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored. | high | go | 1.20.10 | https://nvd.nist.gov/vuln/detail/CVE-2023-45283 CVE-2023-48795 | fixed in 0.17.0 | 5.9 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\'s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SS | moderate | golang.org/x/crypto | v0.14.0 | https://nvd.nist.gov/vuln/detail/CVE-2023-48795 CVE-2023-45284 | fixed in 1.21.4, 1.20.11 | 5.3 | On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as \"COM1 \", and reserved names \"COM\" and \"LPT\" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. | medium | go | 1.20.10 | https://nvd.nist.gov/vuln/detail/CVE-2023-45284 CVE-2023-39326 | fixed in 1.21.5, 1.20.12 | 5.3 | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. | medium | go | 1.20.10 | https://nvd.nist.gov/vuln/detail/CVE-2023-39326 **What you expected to happen**: For this for get resolved with the updates. Atleast for high severity. **How to reproduce it (as minimally and precisely as possible)**: Scanning the image through twistlock **Anything else we need to know?**: Let me know if this is not right way to submit **Environment**: * kube-state-metrics version: v2.10.1 * Kubernetes version (use `kubectl version`): 1.21 * Cloud provider or hardware configuration: GKE v1.26.10-gke.1101000 * Other info:

[dgrisonnet]

/triage accepted /assign

[ricardoapl]

I think there's already work in progress for PRISMA-2022-0227 at https://github.com/kubernetes/kube-state-metrics/issues/2253

[krishnaindani]

Thank you, what about these two CVE-2023-45285 and CVE-2023-45283?

[krishnaindani]

2253

I see the PR is closed https://github.com/kubernetes/kube-state-metrics/pull/2254, is it not the hook to patch the package?

Are we safe to ignore with this comment from here https://github.com/kubernetes/kube-state-metrics/pull/2254#issuecomment-1837606989. I see with the version 3.11.0 prism is silent.

[krishnaindani]

I can contribute here for the updates, can we get some action plan?

[ricardoapl]

I suggest the discussion on PRISMA-2022-0227 be kept at #2253

I don't think kube-state-metrics is affected by CVE-2023-48795 because it doesn't make use of crypto/ssh, but I could be mistaken

I believe we can update Go regardless of whether or not the remaining ones are false positives

Disclaimer: I'm not a maintainer for kube-state-metrics

[mrueg]

v2.11.0 has been released. I assume these have been mitigated. If not, please feel free to reopen and share the ones you believe kube-state-metrics is really affected.