search

kubernetes / sig-security

Process documentation, non-code deliverables, and miscellaneous artifacts of Kubernetes SIG Security
Apache License 2.0
166 stars 55 forks source link

Publish CVE issue status in JSON CVE feed #98

Closed sftim closed 3 months ago

sftim commented 1 year ago

This came out of a SIG Security meeting and builds on issue https://github.com/kubernetes/sig-security/issues/97

For https://kubernetes.io/docs/reference/issues-security/official-cve-feed/, people reading the site want to find out what's there.

There are different views on what behavior feels right to end users. @PushkarJ explained the current (at time of writing) behavior is to only list resolved issues; “resolved” means a fix is published. @IanColdwater gave some context from other projects, some of which only publish CVEs once a fix is available. They mentioned Ubuntu where CVE issues have tags (tracked per release) - https://ubuntu.com/security/cves

This issue is a feature request to add more data to the CVE feed (not the rendered HTML) to show whether the Kubernetes project sees the CVE as:

(conveniently and by intent, we can derive these from GitHub's issues API)

For adding open issues into the rendered HTML CVE feed, see #97

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

PushkarJ commented 7 months ago

This is planned to be done as part of beta to GA

/remove-lifecycle rotten

/remove-lifecycle stale

PushkarJ commented 7 months ago

/remove-lifecycle rotten

PushkarJ commented 4 months ago

Did some quick analysis. So wanted to share this here in preparation of implementing this:

REST API: https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#get-an-issue Field of interest: state (open / closed) state_reason Possible values for state_reason: completed, not_planned, reopened, null

Actual values we want to translate them into for CVE Status:

state == open -- > "open" state == closed, state_reason == completed --> "fixed" state == closed, state_reason == not_planned --> "unfixed" state == open, state_reason == "reopened" --> "unknown"

Example:

personal-macbook:~ pushkarj$ curl -L   -H "Accept: application/vnd.github+json"    -H "X-GitHub-Api-Version: 2022-11-28"   https://api.github.com/repos/kubernetes/kubernetes/issues/124759
{
  "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759",
  "repository_url": "https://api.github.com/repos/kubernetes/kubernetes",
  "labels_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/labels{/name}",
  "comments_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/comments",
  "events_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/events",
  "html_url": "https://github.com/kubernetes/kubernetes/issues/124759",
  "id": 2285943659,
  "node_id": "I_kwDOAToIks6IQLtr",
  "number": 124759,
  "title": "CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs",
  "user": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "labels": [
    {
      "id": 105146071,
      "node_id": "MDU6TGFiZWwxMDUxNDYwNzE=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/kind/bug",
      "name": "kind/bug",
      "color": "e11d21",
      "default": false,
      "description": "Categorizes issue or PR as related to a bug."
    },
    {
      "id": 116712923,
      "node_id": "MDU6TGFiZWwxMTY3MTI5MjM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/area/security",
      "name": "area/security",
      "color": "d93f0b",
      "default": false,
      "description": null
    },
    {
      "id": 357119284,
      "node_id": "MDU6TGFiZWwzNTcxMTkyODQ=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/sig/auth",
      "name": "sig/auth",
      "color": "d2b48c",
      "default": false,
      "description": "Categorizes an issue or PR as relevant to SIG Auth."
    },
    {
      "id": 778118403,
      "node_id": "MDU6TGFiZWw3NzgxMTg0MDM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/lifecycle/frozen",
      "name": "lifecycle/frozen",
      "color": "d3e2f0",
      "default": false,
      "description": "Indicates that an issue or PR should not be auto-closed due to staleness."
    },
    {
      "id": 1199275492,
      "node_id": "MDU6TGFiZWwxMTk5Mjc1NDky",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/committee/security-response",
      "name": "committee/security-response",
      "color": "c0ff4a",
      "default": false,
      "description": "Denotes an issue or PR intended to be handled by the product security committee."
    },
    {
      "id": 2389856656,
      "node_id": "MDU6TGFiZWwyMzg5ODU2NjU2",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/triage/accepted",
      "name": "triage/accepted",
      "color": "8fc951",
      "default": false,
      "description": "Indicates an issue or PR is ready to be actively worked on."
    },
    {
      "id": 3603068678,
      "node_id": "LA_kwDOAToIks7WwncG",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/official-cve-feed",
      "name": "official-cve-feed",
      "color": "0052cc",
      "default": false,
      "description": "Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)"
    }
  ],
  "state": "closed",
  "locked": false,
  "assignee": null,
  "assignees": [

  ],
  "milestone": null,
  "comments": 1,
  "created_at": "2024-05-08T16:02:57Z",
  "updated_at": "2024-05-15T00:45:12Z",
  "closed_at": "2024-05-15T00:45:12Z",
  "author_association": "MEMBER",
  "active_lock_reason": null,
  "body": "CVSS Rating: [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) - **MEDIUM** (6.5)\r\n\r\nA security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.  Tokens are only logged when [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nThis issue has been rated **MEDIUM** [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (6.5), and assigned **CVE-2024-3744**\r\n\r\n### Am I vulnerable?\r\n\r\nYou may be vulnerable if [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nTo check if token requests are configured, run the following command:\r\n\r\nkubectl get csidriver file.csi.azure.com -o jsonpath=\"{.spec.tokenRequests}\"\r\n\r\nTo check if tokens are being logged, examine the secrets-store container log:\r\n\r\nkubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\r\n\r\n#### Affected Versions\r\n\r\n- azure-file-csi-driver <= v1.29.3\r\n- azure-file-csi-driver v1.30.0\r\n\r\n### How do I mitigate this vulnerability?\r\n\r\nPrior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.\r\n\r\n#### Fixed Versions\r\n\r\n- azure-file-csi-driver v1.29.4\r\n- azure-file-csi-driver v1.30.1\r\n\r\nTo upgrade, refer to the documentation: https://github.com/kubernetes-sigs/azurefile-csi-driver?tab=readme-ov-file#install-driver-on-a-kubernetes-cluster \r\n\r\n### Detection\r\n\r\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud resources.\r\n\r\nIf you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io\r\n\r\n#### Acknowledgements\r\n\r\nThis vulnerability was patched by Weizhi Chen @cvvz from Microsoft.\r\n\r\nThank You,\r\nRita Zhang on behalf of the Kubernetes Security Response Committee\r\n\r\n/triage accepted\r\n/lifecycle frozen\r\n/area security\r\n/kind bug\r\n/committee security-response",
  "closed_by": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "reactions": {
    "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/reactions",
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
  },
  "timeline_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/timeline",
  "performed_via_github_app": null,
  "state_reason": "completed"
}
jbiers commented 4 months ago

@PushkarJ is this issue waiting for contributions? I'm interested in getting involved in the sig-security :)

PushkarJ commented 3 months ago

Hi @jbiers yes please. We would love any help you can offer on this! Feel free tag me with questions here or in #sig-security-tooling

jbiers commented 3 months ago

/assign

jbiers commented 3 months ago

New status field was included in the PR mentioned above. This field is being exported into the JSON feed by default since it automatically includes all fields.

kubernetes/website#46996 by @sftim added different styling based on the CVE status to the rendered HTML. kubernetes/website#47000 by myself includes the new field in the RSS feed.

Should we close this issue as completed or any extra steps are needed?

PushkarJ commented 3 months ago

Thank you so much for excellent progress on this @jbiers especially swiftly updating RSS feed and @sftim for setting the unfixed CVEs as bold.

Looking at the preview on my phone I don't see any currently listed CVEs in bold. Does that mean existing list does not have any unfixed CVEs? (I am also looking at this from my phone, so not sure if that matters)

sftim commented 3 months ago

Yes, we don't have any vulnerabilities announced but with no published fix (this is typical / normal).

See https://github.com/kubernetes/website/pull/46996 for hints about how to preview if you have a desktop-type browser available.

PushkarJ commented 3 months ago

Ok thanks for confirmation. With this in place I will add a few that are unfixed in next few days and see what happens.

I believe the only thing remaining to close this and mark it as resolved is the PR merge that fixes https://github.com/kubernetes/website/issues/47003 I left a small comment on the issue to discuss potential notifications of old CVEs.

PushkarJ commented 3 months ago

On second thoughts https://github.com/kubernetes/website/issues/47003 is unrelated to translating issue status to CVE status so we can mark this as complete.

Thank you so much for working on this @jbiers !! We really appreciate you putting in the work and showing up :)

/close

k8s-ci-robot commented 3 months ago

@PushkarJ: Closing this issue.

In response to [this](https://github.com/kubernetes/sig-security/issues/98#issuecomment-2197485846): >On second thoughts https://github.com/kubernetes/website/issues/47003 is unrelated to translating issue status to CVE status so we can mark this as complete. > >Thank you so much for working on this @jbiers !! We really appreciate you putting in the work and showing up :) > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.