search

kubernetes / node-problem-detector

This is a place for various problem detectors running on the Kubernetes nodes.
Apache License 2.0
2.83k stars 615 forks source link

High CVEs in v0.8.17 #887

Closed geetasg closed 3 months ago

geetasg commented 3 months ago

A scan shows 6 high CVEs for version 0.8.17. This issue to request when might these get fixed. 


./trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.17
2024-03-18T15:46:26.545Z    INFO    Vulnerability scanning is enabled
2024-03-18T15:46:26.883Z    INFO    Detected OS: debian
2024-03-18T15:46:26.883Z    INFO    Detecting Debian vulnerabilities...
2024-03-18T15:46:26.893Z    INFO    Number of language-specific files: 3
2024-03-18T15:46:26.893Z    INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.17 (debian 12.4)

Total: 10 (LOW: 2, MEDIUM: 2, HIGH: 6, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬───────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                           Title                           │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼───────────────────────────────────────────────────────────┤
│ libc-bin    │ CVE-2023-6246  │ HIGH     │ fixed  │ 2.36-9+deb12u3    │ 2.36-9+deb12u4        │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│             ├────────────────┤          │        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-6779  │          │        │                   │                       │ glibc: off-by-one heap-based buffer overflow in           │
│             │                │          │        │                   │                       │ __vsyslog_internal()                                      │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│             ├────────────────┼──────────┤        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-6780  │ MEDIUM   │        │                   │                       │ glibc: integer overflow in __vsyslog_internal()           │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├─────────────┼────────────────┼──────────┤        │                   │                       ├───────────────────────────────────────────────────────────┤
│ libc6       │ CVE-2023-6246  │ HIGH     │        │                   │                       │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│             ├────────────────┤          │        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-6779  │          │        │                   │                       │ glibc: off-by-one heap-based buffer overflow in           │
│             │                │          │        │                   │                       │ __vsyslog_internal()                                      │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│             ├────────────────┼──────────┤        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-6780  │ MEDIUM   │        │                   │                       │ glibc: integer overflow in __vsyslog_internal()           │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────────┼───────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2024-0553  │ HIGH     │        │ 3.7.9-2+deb12u1   │ 3.7.9-2+deb12u2       │ gnutls: incomplete fix for CVE-2023-5981                  │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-0553                 │
│             ├────────────────┤          │        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2024-0567  │          │        │                   │                       │ gnutls: rejects certificate chain with distributed trust  │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-0567                 │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────────┼───────────────────────────────────────────────────────────┤
│ tar         │ CVE-2022-48303 │ LOW      │        │ 1.34+dfsg-1.2     │ 1.34+dfsg-1.2+deb12u1 │ heap buffer overflow at from_header() in list.c via       │
│             │                │          │        │                   │                       │ specially crafted checksum                                │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2022-48303                │
│             ├────────────────┤          │        │                   │                       ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-39804 │          │        │                   │                       │ tar: Incorrectly handled extension attributes in PAX      │
│             │                │          │        │                   │                       │ archives can lead to a...                                 │
│             │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2023-39804                │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴───────────────────────────────────────────────────────────┘

home/kubernetes/bin/log-counter (gobinary)

Total: 1 (LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM   │ fixed  │ v1.32.0           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                │          │        │                   │               │ certain forms of...                                          │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

node-problem-detector (gobinary)

Total: 1 (LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM   │ fixed  │ v1.32.0           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                │          │        │                   │               │ certain forms of...                                          │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
JohnRusk commented 3 months ago

I think these are fixed now in Master. Is there any plan to release a 0.8.18 release soon? @wangzhen127 , @Random-Liu @vteratipally

wangzhen127 commented 3 months ago

When is this needed? I see the base image was also updated. We could release a new version for the CVE fixes.

geetasg commented 3 months ago

Please cut a release this week if possible. Also - we found a new CVE - CVE-2024-28085 - in our latest scan. I think it will also get addressed with the new release. Please clarify if I should report it separate from this issue. Thanks!

wangzhen127 commented 3 months ago

Will release v0.8.18 later this week.

rishabh-11 commented 3 months ago

Found two more CVEs 

perl 5.36.0-7+deb12u1

NVD
CVE-2023-47100
Published: 2023-12-02 - Modified: 2023-12-14
CVSS v3: 9.8
Description
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

glibc 2.36-9+deb12u3

NVD
CVE-2023-6246
Published: 2024-01-31 - Modified: 2024-02-16
CVSS v3: 7.8
Description
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Please try to address them in the next release as well

hakman commented 3 months ago

As @wangzhen127 mentioned, v0.18.8 should be released this week. Current staging image should include all the latest fixes.

 % trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln gcr.io/k8s-staging-npd/node-problem-detector:master              
2024-04-04T06:12:15.770+0300    INFO    Vulnerability scanning is enabled
2024-04-04T06:12:24.878+0300    INFO    Detected OS: debian
2024-04-04T06:12:24.878+0300    INFO    Detecting Debian vulnerabilities...
2024-04-04T06:12:24.889+0300    INFO    Number of language-specific files: 3
2024-04-04T06:12:24.889+0300    INFO    Detecting gobinary vulnerabilities...

gcr.io/k8s-staging-npd/node-problem-detector:master (debian 12.5)

Total: 0 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
wangzhen127 commented 3 months ago

v0.8.18 has released.

/close

k8s-ci-robot commented 3 months ago

@wangzhen127: Closing this issue.

In response to [this](https://github.com/kubernetes/node-problem-detector/issues/887#issuecomment-2039006262): >v0.8.18 has released. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.