l7mp / stunner

A Kubernetes media gateway for WebRTC. Contact: info@l7mp.io
https://l7mp.io
MIT License
751 stars 58 forks source link

Is stunner FedRamp compliant? #119

Closed maksimu closed 9 months ago

maksimu commented 9 months ago

Just a random question, does any body know if stunner will be approved to run in AWS FedRamp and then pass the audit? Any thoughts would be welcomed.

https://aws.amazon.com/compliance/fedramp/

rg0now commented 9 months ago

Currently there's no plan due to a lack of resources and financing, but we're not against it at all if there is a strong interest. Could you please give us motivations to go down that path? Is the lack if an audit blocking you from adopting STUNner?

maksimu commented 9 months ago

Could you please give us motivations to go down that path?

We are just exploring what to use for our new feature, we wanted to go with Coturn to run our own infrastructure for WebRTC, but we want the flexibility of what Stunner offers in k8s. So, we are just exploring our options at this point.

Is the lack if an audit blocking you from adopting STUNner?

no, nothing is blocking us at the moment, I'm thinking ahead of what might block us, I'll let you know if there will be any issues with the audit, if we got with STUNner.

rg0now commented 9 months ago

Thanks. One minor note: if you aim to deploy into Kubernetes then don't mess with coturn, STUNner is much better suited for anything cloud-native. So the question is not "coturn vs STUNner", but rather "shall we use Kubernetes for hosting our WebRTC service"? If the answer is no then coturn may be the better option. But if it's Kubernetes, then supporting coturn (let alone automatically scaling) will be an endless pain.

Just my (biased) 2 cents of course.

rg0now commented 9 months ago

Feel free to reopen if anything new comes up. We really need your input on this

maksimu commented 9 months ago

if you aim to deploy into Kubernetes then don't mess with coturn, STUNner is much better suited for anything cloud-native. So the question is not "coturn vs STUNner", but rather "shall we use Kubernetes for hosting our WebRTC service"? If the answer is no then coturn may be the better option. But if it's Kubernetes, then supporting coturn (let alone automatically scaling) will be an endless pain.

Exactly, we want to have it running in k8s for several reasons (start new project in a container environment as well as make a POC of k8s internally using this).

Feel free to reopen if anything new comes up. We really need your input on this

Definitely, will get back to you once things progress and if/when will do the assessment I'll update you.

Do you happen to have an example for the k8s manifest file that will setup STUNner similarly to coturn where two clients will be connected from anywhere? and we will have many clients connected. I got something working so far, but still trying to learn how STUNner work and also how k8s work, this is a new thing our company want to experiment. This is what I have so far. Do you see any issues with this setup?:

apiVersion: v1
kind: Namespace
metadata:
  name: stunner

---

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass       
metadata:
  name: stunner-gatewayclass
spec:
  controllerName: "stunner.l7mp.io/gateway-operator"  
  parametersRef:   
    group: "stunner.l7mp.io"
    kind: GatewayConfig
    name: stunner-gatewayconfig
    namespace: stunner
  description: "STUNner is a WebRTC media gateway for Kubernetes" 

---

apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig                                   
metadata:
  name: stunner-gatewayconfig
  namespace: stunner
spec:
  realm: stunner.l7mp.io
  authRef:
    name: stunner-auth-secret
    namespace: stunner

---

apiVersion: v1
kind: Secret
metadata:
  name: stunner-auth-secret
  namespace: stunner
type: Opaque
stringData:
  type: "ephemeral"
  secret: "VERYSECURESTRING"

---

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: udp-gateway
  namespace: stunner
spec:
  gatewayClassName: stunner-gatewayclass
  listeners: 
    - name: udp-listener
      port: 3478
      protocol: TURN-UDP
    - name: tcp-listener
      port: 3479
      protocol: TURN-TCP

---

apiVersion: stunner.l7mp.io/v1
kind: StaticService
metadata:
  name: static-svc
  namespace: stunner
spec:
  prefixes:
    - "0.0.0.0/0"

---

apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
  name: media-plane-route
  namespace: stunner
spec:
  parentRefs:
    - name: udp-gateway
    - name: tcp-gateway
  rules:
    - backendRefs:
        - name: static-svc
          namespace: stunner
rg0now commented 9 months ago

This setup will work only if you want to deploy STUNner over a public IP, but then you will have to deploy the dataplane into the host-network namespace like this:

apiVersion: stunner.l7mp.io/v1
kind: Dataplane
metadata:
  name: default
spec:
  command:
  - stunnerd
  args:
  - -w
  - --udp-thread-num=32
  image: l7mp/stunnerd:dev
  hostNetwork: true
  resources:
    limits:
      cpu: 6      # make this as big as your nodes support
      memory: 2Gi # ditto
    requests:
      cpu: 6      # ditto
      memory: 2Gi # ditto                                 

However, this is not the way most people deploy STUNner and very often it may not work as expected (in Kubernetes you never run pods on public IPs: it's not needed). So we recommend a better model that we call symmetric ICE mode: let all clients create a TURN allocation and let STUNner connect them. For this you don't need public IPs at all (apart from the single IP provided by the cloud load-balancer that is shared by all STUNner pods). Here is a detailed walkthrough to implement this.

Megzo commented 9 months ago

Hi @maksimu,

Just a couple of comments from my side, maybe it will help you during your planning. But first of all, let me state that the whole STUNner team is from the EU, so in general we have a very shallow knowlege with US public regulations :)

From the information I found about FedRAMP, I can say the following: FedRAMP is standardized security assessment, authorization, and continuous monitoring process for Cloud Service Provider (CSP), when they want to offer their managed services for US public entities. In our case, I feel this does not apply for STUNner, since we do not offer (yet :) ) a managed cloud service based on STUNner. I image that you would use STUNner in a Kubernetes environment running inside one of the major cloud providers: AWS, Azure or GCP, all these are FedRAMP complient. Then the question comes down to whether you can use STUNner as an open source project inside that Kubernetes environment. From what I could find on the internet, an open-source project should follow security best practices and adhere to relevant security standards defined by NIST so that a US public entity could use it. This NIST standard has many things defined, but a couple of relevant issues here:

On the license part STUNner is good to go, since we use MIT, whereas Coturn uses a non-standard license, so you might need to take a look on that. On the vulnerabilities part I can also say that we're regulary do container scans on the latest relases and they do not have any know vulnerabilities (and probably we sould do a better job in publish these results). Whereas in Cotur's case, the latest release does contain some high risk vulnerabilities. Here are some scan results using Trivy:

controlplane $ trivy image l7mp/stunnerd        
2024-02-09T08:33:59.831Z        INFO    Number of language-specific files: 0
controlplane $ trivy image l7mp/stunner-gateway-operator
2024-02-09T08:34:05.249Z        INFO    Detected OS: debian
2024-02-09T08:34:05.250Z        INFO    Detecting Debian vulnerabilities...
2024-02-09T08:34:05.253Z        INFO    Number of language-specific files: 0

l7mp/stunner-gateway-operator (debian 11.8)
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

controlplane $ trivy image coturn/coturn
2024-02-09T08:34:22.424Z        INFO    Detected OS: debian
2024-02-09T08:34:22.425Z        INFO    Detecting Debian vulnerabilities...
2024-02-09T08:34:22.452Z        INFO    Number of language-specific files: 0

coturn/coturn (debian 12.4)
===========================
Total: 76 (UNKNOWN: 8, LOW: 60, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt              | CVE-2011-3374    | LOW      | 2.6.1             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| bsdutils         | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| coreutils        | CVE-2016-2781    |          | 9.1-1             |               | coreutils: Non-privileged               |
|                  |                  |          |                   |               | session can escape to the               |
|                  |                  |          |                   |               | parent session in chroot                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-2781    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-18018   |          |                   |               | coreutils: race condition               |
|                  |                  |          |                   |               | vulnerability in chown and chgrp        |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-18018   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| gcc-12-base      | CVE-2022-27943   |          | 12.2.0-14         |               | binutils: libiberty/rust-demangle.c     |
|                  |                  |          |                   |               | in GNU GCC 11.2 allows stack            |
|                  |                  |          |                   |               | exhaustion in demangle_const            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27943   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libapt-pkg6.0    | CVE-2011-3374    |          | 2.6.1             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libatomic1       | CVE-2022-27943   |          | 12.2.0-14         |               | binutils: libiberty/rust-demangle.c     |
|                  |                  |          |                   |               | in GNU GCC 11.2 allows stack            |
|                  |                  |          |                   |               | exhaustion in demangle_const            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27943   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libblkid1        | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libc-bin         | CVE-2010-4756    |          | 2.36-9+deb12u3    |               | glibc: glob implementation              |
|                  |                  |          |                   |               | can cause excessive CPU and             |
|                  |                  |          |                   |               | memory consumption due to...            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4756    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-20796   |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20796   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010022 |          |                   |               | glibc: stack guard protection bypass    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010023 |          |                   |               | glibc: running ldd on malicious ELF     |
|                  |                  |          |                   |               | leads to code execution because of...   |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using                |
|                  |                  |          |                   |               | cache of thread stack and heap          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010025 |          |                   |               | glibc: information disclosure of heap   |
|                  |                  |          |                   |               | addresses of pthread_created thread     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-9192    |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-9192    |
+------------------+------------------+          +                   +---------------+-----------------------------------------+
| libc6            | CVE-2010-4756    |          |                   |               | glibc: glob implementation              |
|                  |                  |          |                   |               | can cause excessive CPU and             |
|                  |                  |          |                   |               | memory consumption due to...            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4756    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-20796   |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20796   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010022 |          |                   |               | glibc: stack guard protection bypass    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010023 |          |                   |               | glibc: running ldd on malicious ELF     |
|                  |                  |          |                   |               | leads to code execution because of...   |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using                |
|                  |                  |          |                   |               | cache of thread stack and heap          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010025 |          |                   |               | glibc: information disclosure of heap   |
|                  |                  |          |                   |               | addresses of pthread_created thread     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-9192    |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-9192    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libgcc-s1        | CVE-2022-27943   |          | 12.2.0-14         |               | binutils: libiberty/rust-demangle.c     |
|                  |                  |          |                   |               | in GNU GCC 11.2 allows stack            |
|                  |                  |          |                   |               | exhaustion in demangle_const            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27943   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libgcrypt20      | CVE-2018-6829    |          | 1.10.1-3          |               | libgcrypt: ElGamal implementation       |
|                  |                  |          |                   |               | doesn't have semantic security due      |
|                  |                  |          |                   |               | to incorrectly encoded plaintexts...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-6829    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libgnutls30      | CVE-2011-3389    |          | 3.7.9-2+deb12u1   |               | HTTPS: block-wise chosen-plaintext      |
|                  |                  |          |                   |               | attack against SSL/TLS (BEAST)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3389    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2004-0971    |          | 1.20.1-2+deb12u1  |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-5709    |          |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+------------------+------------------+          +                   +---------------+-----------------------------------------+
| libk5crypto3     | CVE-2004-0971    |          |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-5709    |          |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+------------------+------------------+          +                   +---------------+-----------------------------------------+
| libkrb5-3        | CVE-2004-0971    |          |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-5709    |          |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+------------------+------------------+          +                   +---------------+-----------------------------------------+
| libkrb5support0  | CVE-2004-0971    |          |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2018-5709    |          |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libldap-2.5-0    | CVE-2015-3276    |          | 2.5.13+dfsg-5     |               | openldap: incorrect multi-keyword       |
|                  |                  |          |                   |               | mode cipherstring parsing               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2015-3276    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-14159   |          |                   |               | openldap: Privilege escalation          |
|                  |                  |          |                   |               | via PID file manipulation               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-14159   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-17740   |          |                   |               | openldap:                               |
|                  |                  |          |                   |               | contrib/slapd-modules/nops/nops.c       |
|                  |                  |          |                   |               | attempts to free stack buffer           |
|                  |                  |          |                   |               | allowing remote attackers to cause...   |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-17740   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2020-15719   |          |                   |               | openldap: Certificate                   |
|                  |                  |          |                   |               | validation incorrectly                  |
|                  |                  |          |                   |               | matches name against CN-ID              |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-15719   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libmount1        | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+                  +          +                   +---------------+                                         +
| libsmartcols1    |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libsqlite3-0     | CVE-2021-45346   |          | 3.40.1-2          |               | sqlite: crafted SQL query               |
|                  |                  |          |                   |               | allows a malicious user to              |
|                  |                  |          |                   |               | obtain sensitive information...         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-45346   |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libssl3          | CVE-2023-0286    | HIGH     | 3.0.11-1~deb12u2  |               | X.400 address type confusion            |
|                  |                  |          |                   |               | in X.509 GeneralName                    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0286    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2022-4304    | MEDIUM   |                   |               | Timing Oracle in RSA Decryption         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4304    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2022-4450    |          |                   |               | Double free after                       |
|                  |                  |          |                   |               | calling PEM_read_bio_ex                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4450    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0215    |          |                   |               | Use-after-free                          |
|                  |                  |          |                   |               | following BIO_new_NDEF                  |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0215    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2007-6755    | LOW      |                   |               | Dual_EC_DRBG: weak pseudo               |
|                  |                  |          |                   |               | random number generator                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-6755    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-0928    |          |                   |               | openssl: RSA authentication weakness    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-0928    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2022-4203    | UNKNOWN  |                   |               | -->avd.aquasec.com/nvd/cve-2022-4203    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0216    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0216    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0217    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0217    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0401    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0401    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libstdc++6       | CVE-2022-27943   | LOW      | 12.2.0-14         |               | binutils: libiberty/rust-demangle.c     |
|                  |                  |          |                   |               | in GNU GCC 11.2 allows stack            |
|                  |                  |          |                   |               | exhaustion in demangle_const            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27943   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libsystemd0      | CVE-2013-4392    |          | 252.19-1~deb12u1  |               | systemd: TOCTOU race condition          |
|                  |                  |          |                   |               | when updating file permissions          |
|                  |                  |          |                   |               | and SELinux security contexts...        |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2013-4392    |
+------------------+                  +          +                   +---------------+                                         +
| libudev1         |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libuuid1         | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| login            | CVE-2007-5686    |          | 1:4.13+dfsg1-1    |               | initscripts in rPath Linux 1            |
|                  |                  |          |                   |               | sets insecure permissions for           |
|                  |                  |          |                   |               | the /var/log/btmp file,...              |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-5686    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-19882   |          |                   |               | shadow-utils: local users can           |
|                  |                  |          |                   |               | obtain root access because setuid       |
|                  |                  |          |                   |               | programs are misconfigured...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19882   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0634    |          |                   |               | An uncontrolled process                 |
|                  |                  |          |                   |               | operation was found in the              |
|                  |                  |          |                   |               | newgrp command provided by...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0634    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| mount            | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| openssl          | CVE-2023-0286    | HIGH     | 3.0.11-1~deb12u2  |               | X.400 address type confusion            |
|                  |                  |          |                   |               | in X.509 GeneralName                    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0286    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2022-4304    | MEDIUM   |                   |               | Timing Oracle in RSA Decryption         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4304    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2022-4450    |          |                   |               | Double free after                       |
|                  |                  |          |                   |               | calling PEM_read_bio_ex                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-4450    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0215    |          |                   |               | Use-after-free                          |
|                  |                  |          |                   |               | following BIO_new_NDEF                  |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0215    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2007-6755    | LOW      |                   |               | Dual_EC_DRBG: weak pseudo               |
|                  |                  |          |                   |               | random number generator                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-6755    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-0928    |          |                   |               | openssl: RSA authentication weakness    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-0928    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2022-4203    | UNKNOWN  |                   |               | -->avd.aquasec.com/nvd/cve-2022-4203    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0216    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0216    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0217    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0217    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0401    |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0401    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| passwd           | CVE-2007-5686    | LOW      | 1:4.13+dfsg1-1    |               | initscripts in rPath Linux 1            |
|                  |                  |          |                   |               | sets insecure permissions for           |
|                  |                  |          |                   |               | the /var/log/btmp file,...              |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-5686    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-19882   |          |                   |               | shadow-utils: local users can           |
|                  |                  |          |                   |               | obtain root access because setuid       |
|                  |                  |          |                   |               | programs are misconfigured...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19882   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2023-0634    |          |                   |               | An uncontrolled process                 |
|                  |                  |          |                   |               | operation was found in the              |
|                  |                  |          |                   |               | newgrp command provided by...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2023-0634    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| perl-base        | CVE-2011-4116    |          | 5.36.0-7+deb12u1  |               | perl: File::Temp insecure               |
|                  |                  |          |                   |               | temporary file handling                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-4116    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| tar              | CVE-2005-2541    |          | 1.34+dfsg-1.2     |               | tar: does not properly warn the user    |
|                  |                  |          |                   |               | when extracting setuid or setgid...     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2005-2541    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2022-48303   |          |                   |               | tar: a heap buffer overflow             |
|                  |                  |          |                   |               | at from_header() in list.c              |
|                  |                  |          |                   |               | via specially crafter...                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-48303   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| util-linux       | CVE-2022-0563    |          | 2.38.1-5          |               | util-linux: partial disclosure          |
|                  |                  |          |                   |               | of arbitrary files in chfn              |
|                  |                  |          |                   |               | and chsh when compiled...               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0563    |
+------------------+                  +          +                   +---------------+                                         +
| util-linux-extra |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+

I hope this helps a bit.

maksimu commented 9 months ago

Hi @Megzo Thank you for the info. Updating libraries and other things is one thing, but as I remember we also had to make sure our backed should be FIPS compliant, which means that you will have to have cryptography libraries fips compliant (don't have old encryptions, etc.). For example, Coturn in v4.6.2 had to make some changes to the openssl.

So, for now we are using Coturn since we had our POC servers running it. but there is scalability nor monitoring, for now I'll be manually making sure things are working. Plus our DevOps is not comfortable with K8s.

But I'm really trying to push STUNner as I believe in its capabilities.

Regarding pushing to FedRamp, I'm just making some research in general, it will take us long time to get anything into that environment, but I'll keep you posted.

maksimu commented 9 months ago

oh and while I have you on the "line" can you check this setup to see if I'm missing anything. I've tried to make a quick run in EKS, but it didn't work and I didn't have much time to debug to figure out what is going on.

apiVersion: v1
kind: Namespace
metadata:
  name: stunner

---

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass                                    # Official doc: https://docs.l7mp.io/en/latest/GATEWAY/#gatewayclass
metadata:
  name: stunner-gatewayclass
spec:
  controllerName: "stunner.l7mp.io/gateway-operator"
  parametersRef:
    group: "stunner.l7mp.io"
    kind: GatewayConfig
    name: stunner-gatewayconfig
    namespace: stunner
  description: "STUNner is a WebRTC media gateway for Kubernetes"

---

apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig
metadata:
  name: stunner-gatewayconfig
  namespace: stunner
spec:
  logLevel: "all:DEBUG,turn:DEBUG"
  realm: connect.keepersecurity.com
  authRef:
    name: stunner-auth-secret
    namespace: stunner

---

apiVersion: v1
kind: Secret
metadata:
  name: stunner-auth-secret
  namespace: stunner
type: Opaque
stringData:
  type: "ephemeral"
  secret: "SecretString123"

---

# Gateways describe the STUN/TURN server listeners exposed to clients.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: udp-gateway
  namespace: stunner
spec:
  gatewayClassName: stunner-gatewayclass
  listeners:  # Listener config docs: https://docs.l7mp.io/en/latest/GATEWAY/#listener-configuration
    - name: udp-listener
      port: 3478
      protocol: TURN-UDP

---

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tcp-gateway
  namespace: stunner
spec:
  gatewayClassName: stunner-gatewayclass
  listeners:
    - name: tcp-listener
      port: 3478
      protocol: TURN-TCP
---

apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
  name: stunner-headless
  namespace: stunner
spec:
  parentRefs:
    - name: udp-gateway
    - name: tcp-gateway
  rules:
    - backendRefs:
        - name: stunner
          namespace: stunner

---
# make sure the stunner service exists, otherwise the above route will be useless
apiVersion: v1
kind: Service
metadata:
  name: stunner
  namespace: stunner
spec:
  selector:
    app: stunner
  ports:
    - name: stunner-port-3478-udp
      port: 3478
      protocol: UDP
      targetPort: 3478
#    - name: stunner-port-3478-tcp
#      port: 3478
#      protocol: TCP
#      targetPort: 3478
  type: ClusterIP

# Info about the cluster:
#  kubectl get gatewayconfigs,gateways,udproutes.stunner.l7mp.io -n stunner

if I can prove to our DevOps that we can run STUNner as easy as just deploying this kind of file, then we might just go with it.

Thank you

levaitamas commented 9 months ago

Hi @maksimu !

At first glance, your config looks correct. Since you mentioned you are using EKS, my guess is that the AWS-specific load balancer annotations are missing thus UDP LoadBalancer services are not working. Some pointers here: https://github.com/l7mp/stunner/issues/32 and here: https://discord.com/channels/945255818494902282/1176557763585916978/1184414645038092330

maksimu commented 9 months ago

that did it! Thank you!