CVEs reported in v1.25.37

[jignesh01]

Our Security Scanning tools have identified Medium CVE in tigera operator. Can you please review this and help us with an update on following:

1. Documentation that explains the mitigation strategy that we can apply to reduce the severity level
2. Details on when is this going to be fixed with the expected version number and if its already fixed which version number is it fixed in.

CVEs reported:

• CVE-2020-8912: A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket; which can then alLow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later; and re-encrypt your files.

• github.com/aws/aws-sdk-go module prior to v1.34.0 is vulnerable to Arbitrary File Read. Users with reading access can recover the unencrypted S3 bucket content without accessing the encryption key. (This one is reported by our Prisma security scanning tool)

CVEs found in version: v1.25.37

[codechris1]

Hello Tigera operator team is there any update in this Issue?. Thank you!

[jignesh01]

Hello team,

Is there any update on this?

[tmjd]

The version specified in the initial message does not exist but I think the currently released (prior to Oct 31, 2022) versions do include versions of the aws-sdk-go prior to v1.34.0 (That version fixes both CVEs resported) so do utilize the vulnerable code.

The code that uses the aws-sdk-go library is only utilized when using OpenShift on AWS, so if you are not using both of those then the impacted code is not used. If you are running on OpenShift on AWS there is probably no attack vector as the code runs as a one time Job that ensures AWS Security groups allow the traffic that Calico needs and then the Job is done.

The library has been updated in master to v1.44 so hopefully the CVEs should not be alerted.

I hope this helps.

[tmjd]

Newer versions have addressed this.