search

kubernetes / node-problem-detector

This is a place for various problem detectors running on the Kubernetes nodes.
Apache License 2.0
2.83k stars 615 forks source link

High CVEs in v0.8.18 #904

Closed mounchin closed 1 month ago

mounchin commented 2 months ago

Vulnerability scan shows high CVEs for version 0.8.18. This issue to request when might these get fixed.

trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.18

registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.18 (debian 12.5)

Total: 2 (LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                         Title                          │
├──────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2024-2961 │ HIGH     │ fixed  │ 2.36-9+deb12u4    │ 2.36-9+deb12u6 │ glibc: Out of bounds write in iconv may lead to remote │
│          │               │          │        │                   │                │ code...                                                │
│          │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-2961              │
├──────────┤               │          │        │                   │                │                                                        │
│ libc6    │               │          │        │                   │                │                                                        │
│          │               │          │        │                   │                │                                                        │
│          │               │          │        │                   │                │                                                        │
└──────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────┘

home/kubernetes/bin/log-counter (gobinary)

Total: 1 (LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.22.0           │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of │
│                  │                │          │        │                   │               │ CONTINUATION frames causes DoS                     │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

node-problem-detector (gobinary)

Total: 1 (LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.22.0           │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of │
│                  │                │          │        │                   │               │ CONTINUATION frames causes DoS                     │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘
rishabh-11 commented 2 months ago

There are two more CVEs

Found two more CVEs

perl 5.36.0-7+deb12u1

NVD
CVE-2023-47100
Published: 2023-12-02 - Modified: 2023-12-14
CVSS v3: 9.8
Description
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

glibc 2.36-9+deb12u3

NVD
CVE-2023-6246
Published: 2024-01-31 - Modified: 2024-02-16
CVSS v3: 7.8
Description
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
Please try to address them in the next release as well

I had mentioned it in https://github.com/kubernetes/node-problem-detector/issues/887#issuecomment-2031411396 but it is still not included.

mounchin commented 2 months ago

Found one new high CVE finding(CVE-2024-33599).

Total: 10 (LOW: 0, MEDIUM: 6, HIGH: 4, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2024-2961  │ HIGH     │ fixed  │ 2.36-9+deb12u4    │ 2.36-9+deb12u6 │ glibc: Out of bounds write in iconv may lead to remote       │
│          │                │          │        │                   │                │ code...                                                      │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│          ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33599 │          │        │                   │ 2.36-9+deb12u7 │ glibc: stack-based buffer overflow in netgroup cache         │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
│          ├────────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33600 │ MEDIUM   │        │                   │                │ glibc: null pointer dereferences after failed netgroup cache │
│          │                │          │        │                   │                │ insertion                                                    │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33600                   │
│          ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33601 │          │        │                   │                │ glibc: netgroup cache may terminate daemon on memory         │
│          │                │          │        │                   │                │ allocation failure                                           │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33601                   │
│          ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33602 │          │        │                   │                │ glibc: netgroup cache assumes NSS callback uses in-buffer    │
│          │                │          │        │                   │                │ strings                                                      │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33602                   │
├──────────┼────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6    │ CVE-2024-2961  │ HIGH     │        │                   │ 2.36-9+deb12u6 │ glibc: Out of bounds write in iconv may lead to remote       │
│          │                │          │        │                   │                │ code...                                                      │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│          ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33599 │          │        │                   │ 2.36-9+deb12u7 │ glibc: stack-based buffer overflow in netgroup cache         │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
│          ├────────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33600 │ MEDIUM   │        │                   │                │ glibc: null pointer dereferences after failed netgroup cache │
│          │                │          │        │                   │                │ insertion                                                    │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33600                   │
│          ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33601 │          │        │                   │                │ glibc: netgroup cache may terminate daemon on memory         │
│          │                │          │        │                   │                │ allocation failure                                           │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33601                   │
│          ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-33602 │          │        │                   │                │ glibc: netgroup cache assumes NSS callback uses in-buffer    │
│          │                │          │        │                   │                │ strings                                                      │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-33602                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
hakman commented 1 month ago

908 should fix all known issues.

@wangzhen127 any thoughts on when you could do a new release?

> trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln gcr.io/k8s-staging-npd/node-problem-detector:master          
2024-05-14T03:30:12.979+0300    INFO    Vulnerability scanning is enabled
2024-05-14T03:30:22.471+0300    INFO    Detected OS: debian
2024-05-14T03:30:22.472+0300    INFO    Detecting Debian vulnerabilities...
2024-05-14T03:30:22.480+0300    INFO    Number of language-specific files: 3
2024-05-14T03:30:22.480+0300    INFO    Detecting gobinary vulnerabilities...

gcr.io/k8s-staging-npd/node-problem-detector:master (debian 12.5)

Total: 0 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
wangzhen127 commented 1 month ago

I could do a release later this week.

ankychow commented 1 month ago

High CVE's reported. Can we have fix for these CVE's at the earliest.

CVE-2023-45288 HIGH stdlib partner gobinary The Go Vulnerability Database https://pkg.go.dev/vuln/ CVE-2024-24788 HIGH stdlib partner gobinary The Go Vulnerability Database https://pkg.go.dev/vuln/ CVE-2024-33599 HIGH libc6 partner debian Debian Security Tracker https://salsa.debian.org/security-tracker-team/security-tracker CVE-2024-2961 HIGH libc6 partner debian Debian Security Tracker https://salsa.debian.org/security-tracker-team/security-tracker CVE-2024-33599 HIGH libc-bin partner debian Debian Security Tracker https://salsa.debian.org/security-tracker-team/security-tracker CVE-2024-2961 HIGH libc-bin partner debian Debian Security Tracker https://salsa.debian.org/security-tracker-team/security-tracker

hakman commented 1 month ago

@ankychow Could you check gcr.io/k8s-staging-npd/node-problem-detector:master ?

hakman commented 1 month ago

Closed via https://github.com/kubernetes/node-problem-detector/pull/914. Thanks @wangzhen127! /close

k8s-ci-robot commented 1 month ago

@hakman: Closing this issue.

In response to [this](https://github.com/kubernetes/node-problem-detector/issues/904#issuecomment-2118661218): >Closed via https://github.com/kubernetes/node-problem-detector/pull/914. Thanks @wangzhen127! >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.