search

kubernetes / node-problem-detector

This is a place for various problem detectors running on the Kubernetes nodes.
Apache License 2.0
2.9k stars 624 forks source link

CVE found with v0.8.19 #926

Open aaronfern opened 1 month ago

aaronfern commented 1 month ago

Vulnerability scan shown a CVE for NPD:v0.8.19

NVD

CVE-2023-4911
Published: 2023-10-03 - Modified: 2024-02-22
CVSS v3: 7.8
Description
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

This issue is to log this and ask when this would be fixed

mounchin commented 1 month ago

Few more new CVE's

trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.19

Total: 8 (LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libgnutls30    │ CVE-2024-28834 │ MEDIUM   │ fixed  │ 3.7.9-2+deb12u2   │ 3.7.9-2+deb12u3  │ gnutls: vulnerable to Minerva side-channel information leak  │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-28834                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2024-28835 │          │        │                   │                  │ gnutls: potential crash during chain building/verification   │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-28835                   │
├────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libsystemd-dev │ CVE-2023-50387 │ HIGH     │        │ 252.22-1~deb12u1  │ 252.23-1~deb12u1 │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────┼────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│ libsystemd0    │ CVE-2023-50387 │          │        │                   │                  │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────┼────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│ libudev1       │ CVE-2023-50387 │          │        │                   │                  │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘
jranabahu commented 4 weeks ago

Our scans show additional CVEs to the ones reported above. Please find the complete list(including some of the ones mentioned earlier) of CVEs reported against this image.

image

jingxu97 commented 4 weeks ago

wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?

wangzhen127 commented 4 weeks ago

wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?

This is covered by weekly deps update. It is usually auto generated on Fridays.

AnishShah commented 4 weeks ago

@hakman does dep-bot update Go version as well? or just Go modules/pkgs?

wangzhen127 commented 4 weeks ago

And also https://github.com/kubernetes/node-problem-detector/blob/master/Dockerfile#L23?

wangzhen127 commented 4 weeks ago

Looks like the dep-bot does not update golang version: https://github.com/kubernetes/node-problem-detector/pull/935

jranabahu commented 3 weeks ago

Can we please get an update on when to expect a new release with these CVEs fixed?

PelagicGames commented 2 weeks ago

Bump! It would be great to get a 0.8.20 release to address these CVEs in a tagged release