kubernetes / minikube

Run Kubernetes locally
https://minikube.sigs.k8s.io/
Apache License 2.0
29.41k stars 4.88k forks source link

`efk` addon image contains Log4j CVEs #15280

Open spowelljr opened 1 year ago

spowelljr commented 1 year ago

The efk addon contains the image k8s.gcr.io/elasticsearch:v5.6.2@sha256:7e95b32a7a2aad0c0db5c881e4a1ce8b7e53236144ae9d9cfb5fbe5608af4ab2

This image contains Log4j CVEs

  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.9.1
    introduced by org.apache.logging.log4j:log4j-core@2.9.1
  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014] in org.apache.logging.log4j:log4j-core@2.9.1
    introduced by org.apache.logging.log4j:log4j-core@2.9.1

If you are using the addon we recommend you run minikube addons disable efk to terminate the vulnerable pod. If you are not using the efk addon you are not vulnerable.

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

henk52 commented 1 year ago

I assume this is complicated to resolve, are there anywhere to go read up on how to solve this issue?

spowelljr commented 1 year ago

It requires replacing the vulnerable elasticsearch image with an updated one and making sure the addon still works as intended. After that's completed we can unban the addon.

nekperu15739 commented 1 year ago

Hi, I know its a risk, however for local dev, Is there any work around, in favor of made possible enable the addon?

nekperu15739 commented 1 year ago

Hi @spowelljr

Any update on this?

Sikamator commented 1 year ago

Any updates?

spowelljr commented 1 year ago

I created a PR to update the elasticsearch, kibana, and alpine images. I have no idea if the addon will continue to work with the updated images. You can test the PR once it's finished building and let me know if it's working as expected.

spowelljr commented 1 year ago

The pods are coming up which is promising

$ kubectl get pods -A
NAMESPACE     NAME                               READY   STATUS    RESTARTS        AGE
kube-system   coredns-787d4945fb-rfbgc           1/1     Running   0               2m45s
kube-system   elasticsearch-logging-hnpz6        1/1     Running   0               118s
kube-system   etcd-minikube                      1/1     Running   0               2m58s
kube-system   fluentd-es-xxsjv                   1/1     Running   0               118s
kube-system   kibana-logging-vl7s9               1/1     Running   0               118s
kube-system   kube-apiserver-minikube            1/1     Running   0               3m
kube-system   kube-controller-manager-minikube   1/1     Running   0               2m58s
kube-system   kube-proxy-zvmp9                   1/1     Running   0               2m45s
kube-system   kube-scheduler-minikube            1/1     Running   0               2m58s
kube-system   storage-provisioner                1/1     Running   1 (2m14s ago)   2m57s
spowelljr commented 1 year ago

Here's the macOS amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-darwin-amd64 Linux amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-linux-amd64

If someone could test it and let me know if it works as expected. If someone needs a different binary just let me know

Sikamator commented 1 year ago

Here's the macOS amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-darwin-amd64 Linux amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-linux-amd64

If someone could test it and let me know if it works as expected. If someone needs a different binary just let me know

Hello, I've tested it. And confirm it's works fine. Thank You. image

spowelljr commented 1 year ago

Hi @Sikamator, just confirming that the addon is working as expected as well? ie. It's aggregating logs as expected, not just that the addon started

gryphon2411 commented 1 year ago

@spowelljr, your PR review failed, and as a result, wasn't merged

wdcs-meetsoni commented 2 months ago

still can't enable any updates ?