Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE found with v0.8.19 #926

Closed
aaronfern opened this issue Jul 9, 2024 · 19 comments
Closed

CVE found with v0.8.19 #926

aaronfern opened this issue Jul 9, 2024 · 19 comments

Comments

@aaronfern
Copy link

Vulnerability scan shown a CVE for NPD:v0.8.19

NVD

CVE-2023-4911
Published: 2023-10-03 - Modified: 2024-02-22
CVSS v3: 7.8
Description
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

This issue is to log this and ask when this would be fixed
@mounchin
Copy link

Few more new CVE's

trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.19

Total: 8 (LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libgnutls30    │ CVE-2024-28834 │ MEDIUM   │ fixed  │ 3.7.9-2+deb12u2   │ 3.7.9-2+deb12u3  │ gnutls: vulnerable to Minerva side-channel information leak  │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-28834                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2024-28835 │          │        │                   │                  │ gnutls: potential crash during chain building/verification   │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-28835                   │
├────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libsystemd-dev │ CVE-2023-50387 │ HIGH     │        │ 252.22-1~deb12u1  │ 252.23-1~deb12u1 │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────┼────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│ libsystemd0    │ CVE-2023-50387 │          │        │                   │                  │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────┼────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│ libudev1       │ CVE-2023-50387 │          │        │                   │                  │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                ├────────────────┤          │        │                   │                  ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-50868 │          │        │                   │                  │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                │                │          │        │                   │                  │ CPU resources                                                │
│                │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

@jranabahu
Copy link

Our scans show additional CVEs to the ones reported above. Please find the complete list(including some of the ones mentioned earlier) of CVEs reported against this image.

image

@jingxu97
Copy link
Contributor

jingxu97 commented Aug 8, 2024

wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?

@AnishShah AnishShah mentioned this issue Aug 8, 2024
Closed
@wangzhen127
Copy link
Member

wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?

This is covered by weekly deps update. It is usually auto generated on Fridays.

@AnishShah
Copy link

@hakman does dep-bot update Go version as well? or just Go modules/pkgs?

@wangzhen127
Copy link
Member

And also https://github.com/kubernetes/node-problem-detector/blob/master/Dockerfile#L23?

@wangzhen127
Copy link
Member

Looks like the dep-bot does not update golang version: #935

@jranabahu
Copy link

Can we please get an update on when to expect a new release with these CVEs fixed?

@PelagicGames
Copy link

Bump! It would be great to get a 0.8.20 release to address these CVEs in a tagged release

@ChristinaJShafer
Copy link

Bump. Any update on when a new release might come out?

@wangzhen127
Copy link
Member

Looks like golang version update in go.mod is not covered still. @jingxu97 are you able to take a look?

@PelagicGames
Copy link

We are still awaiting a 0.8.20 release for this. How do we go about expediting a new release? I see that the last 5 were within 3-4 months (i.e. less than 1 month per release), but it's now been over 4 months since 0.8.19, and we're getting flagged for CVEs until a new release is declared.

@wangzhen127
Copy link
Member

We updated golang last week. @PelagicGames Can you help verify if all the CVEs are fixed at head commit? I can cut a new release this week after confirmation.

@PelagicGames
Copy link

Will try to do that today :)

@PelagicGames
Copy link

@wangzhen127 , I've just run a trivy scan and that's not showing any CVEs against head

@wangzhen127
Copy link
Member

Thanks for the verification! We are investigating the presubmit issue #970. Will make a release after the fix.

@wangzhen127
Copy link
Member

The issue is unblocked. Will make a new release later this week.

@wangzhen127
Copy link
Member

v0.8.20 has been released.

/close

@k8s-ci-robot
Copy link
Contributor

@wangzhen127: Closing this issue.

In response to this:

v0.8.20 has been released.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@wangzhen127 @AnishShah @jranabahu @PelagicGames @jingxu97 @k8s-ci-robot @aaronfern @ChristinaJShafer @mounchin