Closed sftim closed 3 months ago
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
This is planned to be done as part of beta to GA
/remove-lifecycle rotten
/remove-lifecycle stale
/remove-lifecycle rotten
Did some quick analysis. So wanted to share this here in preparation of implementing this:
REST API: https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#get-an-issue
Field of interest: state
(open / closed) state_reason
Possible values for state_reason
: completed
, not_planned
, reopened
, null
Actual values we want to translate them into for CVE Status:
state == open -- > "open" state == closed, state_reason == completed --> "fixed" state == closed, state_reason == not_planned --> "unfixed" state == open, state_reason == "reopened" --> "unknown"
Example:
personal-macbook:~ pushkarj$ curl -L -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/kubernetes/kubernetes/issues/124759
{
"url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759",
"repository_url": "https://api.github.com/repos/kubernetes/kubernetes",
"labels_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/labels{/name}",
"comments_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/comments",
"events_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/events",
"html_url": "https://github.com/kubernetes/kubernetes/issues/124759",
"id": 2285943659,
"node_id": "I_kwDOAToIks6IQLtr",
"number": 124759,
"title": "CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs",
"user": {
"login": "ritazh",
"id": 1856066,
"node_id": "MDQ6VXNlcjE4NTYwNjY=",
"avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/ritazh",
"html_url": "https://github.com/ritazh",
"followers_url": "https://api.github.com/users/ritazh/followers",
"following_url": "https://api.github.com/users/ritazh/following{/other_user}",
"gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
"starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
"organizations_url": "https://api.github.com/users/ritazh/orgs",
"repos_url": "https://api.github.com/users/ritazh/repos",
"events_url": "https://api.github.com/users/ritazh/events{/privacy}",
"received_events_url": "https://api.github.com/users/ritazh/received_events",
"type": "User",
"site_admin": false
},
"labels": [
{
"id": 105146071,
"node_id": "MDU6TGFiZWwxMDUxNDYwNzE=",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/kind/bug",
"name": "kind/bug",
"color": "e11d21",
"default": false,
"description": "Categorizes issue or PR as related to a bug."
},
{
"id": 116712923,
"node_id": "MDU6TGFiZWwxMTY3MTI5MjM=",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/area/security",
"name": "area/security",
"color": "d93f0b",
"default": false,
"description": null
},
{
"id": 357119284,
"node_id": "MDU6TGFiZWwzNTcxMTkyODQ=",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/sig/auth",
"name": "sig/auth",
"color": "d2b48c",
"default": false,
"description": "Categorizes an issue or PR as relevant to SIG Auth."
},
{
"id": 778118403,
"node_id": "MDU6TGFiZWw3NzgxMTg0MDM=",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/lifecycle/frozen",
"name": "lifecycle/frozen",
"color": "d3e2f0",
"default": false,
"description": "Indicates that an issue or PR should not be auto-closed due to staleness."
},
{
"id": 1199275492,
"node_id": "MDU6TGFiZWwxMTk5Mjc1NDky",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/committee/security-response",
"name": "committee/security-response",
"color": "c0ff4a",
"default": false,
"description": "Denotes an issue or PR intended to be handled by the product security committee."
},
{
"id": 2389856656,
"node_id": "MDU6TGFiZWwyMzg5ODU2NjU2",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/triage/accepted",
"name": "triage/accepted",
"color": "8fc951",
"default": false,
"description": "Indicates an issue or PR is ready to be actively worked on."
},
{
"id": 3603068678,
"node_id": "LA_kwDOAToIks7WwncG",
"url": "https://api.github.com/repos/kubernetes/kubernetes/labels/official-cve-feed",
"name": "official-cve-feed",
"color": "0052cc",
"default": false,
"description": "Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)"
}
],
"state": "closed",
"locked": false,
"assignee": null,
"assignees": [
],
"milestone": null,
"comments": 1,
"created_at": "2024-05-08T16:02:57Z",
"updated_at": "2024-05-15T00:45:12Z",
"closed_at": "2024-05-15T00:45:12Z",
"author_association": "MEMBER",
"active_lock_reason": null,
"body": "CVSS Rating: [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) - **MEDIUM** (6.5)\r\n\r\nA security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nThis issue has been rated **MEDIUM** [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (6.5), and assigned **CVE-2024-3744**\r\n\r\n### Am I vulnerable?\r\n\r\nYou may be vulnerable if [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nTo check if token requests are configured, run the following command:\r\n\r\nkubectl get csidriver file.csi.azure.com -o jsonpath=\"{.spec.tokenRequests}\"\r\n\r\nTo check if tokens are being logged, examine the secrets-store container log:\r\n\r\nkubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\r\n\r\n#### Affected Versions\r\n\r\n- azure-file-csi-driver <= v1.29.3\r\n- azure-file-csi-driver v1.30.0\r\n\r\n### How do I mitigate this vulnerability?\r\n\r\nPrior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.\r\n\r\n#### Fixed Versions\r\n\r\n- azure-file-csi-driver v1.29.4\r\n- azure-file-csi-driver v1.30.1\r\n\r\nTo upgrade, refer to the documentation: https://github.com/kubernetes-sigs/azurefile-csi-driver?tab=readme-ov-file#install-driver-on-a-kubernetes-cluster \r\n\r\n### Detection\r\n\r\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud resources.\r\n\r\nIf you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io\r\n\r\n#### Acknowledgements\r\n\r\nThis vulnerability was patched by Weizhi Chen @cvvz from Microsoft.\r\n\r\nThank You,\r\nRita Zhang on behalf of the Kubernetes Security Response Committee\r\n\r\n/triage accepted\r\n/lifecycle frozen\r\n/area security\r\n/kind bug\r\n/committee security-response",
"closed_by": {
"login": "ritazh",
"id": 1856066,
"node_id": "MDQ6VXNlcjE4NTYwNjY=",
"avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/ritazh",
"html_url": "https://github.com/ritazh",
"followers_url": "https://api.github.com/users/ritazh/followers",
"following_url": "https://api.github.com/users/ritazh/following{/other_user}",
"gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
"starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
"organizations_url": "https://api.github.com/users/ritazh/orgs",
"repos_url": "https://api.github.com/users/ritazh/repos",
"events_url": "https://api.github.com/users/ritazh/events{/privacy}",
"received_events_url": "https://api.github.com/users/ritazh/received_events",
"type": "User",
"site_admin": false
},
"reactions": {
"url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/reactions",
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
},
"timeline_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/timeline",
"performed_via_github_app": null,
"state_reason": "completed"
}
@PushkarJ is this issue waiting for contributions? I'm interested in getting involved in the sig-security :)
Hi @jbiers yes please. We would love any help you can offer on this! Feel free tag me with questions here or in #sig-security-tooling
/assign
New status field was included in the PR mentioned above. This field is being exported into the JSON feed by default since it automatically includes all fields.
kubernetes/website#46996 by @sftim added different styling based on the CVE status to the rendered HTML. kubernetes/website#47000 by myself includes the new field in the RSS feed.
Should we close this issue as completed or any extra steps are needed?
Thank you so much for excellent progress on this @jbiers especially swiftly updating RSS feed and @sftim for setting the unfixed CVEs as bold.
Looking at the preview on my phone I don't see any currently listed CVEs in bold. Does that mean existing list does not have any unfixed CVEs? (I am also looking at this from my phone, so not sure if that matters)
Yes, we don't have any vulnerabilities announced but with no published fix (this is typical / normal).
See https://github.com/kubernetes/website/pull/46996 for hints about how to preview if you have a desktop-type browser available.
Ok thanks for confirmation. With this in place I will add a few that are unfixed in next few days and see what happens.
I believe the only thing remaining to close this and mark it as resolved is the PR merge that fixes https://github.com/kubernetes/website/issues/47003 I left a small comment on the issue to discuss potential notifications of old CVEs.
On second thoughts https://github.com/kubernetes/website/issues/47003 is unrelated to translating issue status to CVE status so we can mark this as complete.
Thank you so much for working on this @jbiers !! We really appreciate you putting in the work and showing up :)
/close
@PushkarJ: Closing this issue.
This came out of a SIG Security meeting and builds on issue https://github.com/kubernetes/sig-security/issues/97
For https://kubernetes.io/docs/reference/issues-security/official-cve-feed/, people reading the site want to find out what's there.
There are different views on what behavior feels right to end users. @PushkarJ explained the current (at time of writing) behavior is to only list resolved issues; “resolved” means a fix is published. @IanColdwater gave some context from other projects, some of which only publish CVEs once a fix is available. They mentioned Ubuntu where CVE issues have tags (tracked per release) - https://ubuntu.com/security/cves
This issue is a feature request to add more data to the CVE feed (not the rendered HTML) to show whether the Kubernetes project sees the CVE as:
(conveniently and by intent, we can derive these from GitHub's issues API)
For adding open issues into the rendered HTML CVE feed, see #97