Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal containers have long pending security CVEs: nginx, hostpath-provisioner, coredns #4087

Closed
maxshlain opened this issue Jul 17, 2023 · 5 comments
Closed

Internal containers have long pending security CVEs: nginx, hostpath-provisioner, coredns #4087

maxshlain opened this issue Jul 17, 2023 · 5 comments
Labels
inactive

Comments

@maxshlain
Copy link

Summary

Internal containers have long pending security CVEs: nginx, hostpath-provisioner, coredns
Installed version: MicroK8s v1.27.2 revision 5372

What Should Happen Instead?

Use latest containers that have no high-severity security CVEs open

Reproduction Steps

  1. Install latest microk8s with core addons enabled: dns, hostpath, ingress
  2. Execute security scanner (we used Wiz)
  3. Observe scanner report:
    ======================================================================
    container nginx has vulnerable packages

severity: critical

package name: libcurl

current version: 7.83.1-r4

fixed version: 7.83.1-r6, 8.1.0-r0

NVD - CVE-2023-23914

NVD - CVE-2023-28322

wiz suggested remediation: apk upgrade libcurl

==================================================================================

package name: curl

current version: 7.83.1-r4

fixed version: 7.83.1-r6, 8.1.0-r0

NVD - CVE-2023-23914

NVD - CVE-2023-28322

wiz suggested remediation: apk upgrade curl

===================================================================================

severity: high

package name: libcurl

current version: 7.83.1-r4

fixed version: 7.83.1-r6, 8.1.0-r0

NVD - CVE-2023-28321

NVD - CVE-2023-28319

NVD - CVE-2023-23916

NVD - CVE-2023-27536

NVD - CVE-2023-27535

NVD - CVE-2023-27533

NVD - CVE-2023-27534

NVD - CVE-2022-43551

wiz suggested remediation: apk upgrade libcurl

===================================================================================

package name: curl

current version: 7.83.1-r4

fixed version: 7.83.1-r6, 8.1.0-r0

NVD - CVE-2023-28321

NVD - CVE-2023-28319

NVD - CVE-2023-23916

NVD - CVE-2023-27536

NVD - CVE-2023-27535

NVD - CVE-2023-27533

NVD - CVE-2023-27534

NVD - CVE-2022-43551

wiz suggested remediation: apk upgrade curl

===================================================================================

package name: cpe:2.3:a:f5:nginx

current version: 1.21.6

fixed version: 1.22.1

cve-details

NVD - CVE-2022-41742

wiz suggested remediation: none

===================================================================================

package name: github.com/opencontainers/runc

current version: 1.1.4

fixed version: 1.1.5

NVD - CVE-2023-27561

wiz suggested remediation: go get -u github.com/opencontainers/runc

===================================================================================

package name: golang.org/x/net

current version: 0.1.0

fixed version: 0.7.0, 0.1.1-0.20221104162952-702349b0e862

NVD - CVE-2022-41723

NVD - CVE-2022-41721

wiz suggested remediation: go get -u golang.org/x/net

===================================================================================

package name: libcrypto1.1

current version: 1.1.1s-r0

fixed version: 1.1.1t-r0, 1.1.1u-r0

NVD - CVE-2023-0215

NVD - CVE-2023-0286

NVD - CVE-2023-2650

NVD - CVE-2022-4450

NVD - CVE-2023-0464

wiz suggested remediation: apk upgrade libcrypto1.1

===================================================================================

package name: libssl1.1

current version: 1.1.1s-r0

fixed version: 1.1.1t-r0, 1.1.1u-r0, 1.1.1t-r1

NVD - CVE-2023-0215

NVD - CVE-2023-0286

NVD - CVE-2023-2650

NVD - CVE-2022-4450

NVD - CVE-2023-0464

wiz suggested remediation: apk upgrade libssl1.1

===================================================================================

package name: ncurses-libs

current version: 6.3_p20220521-r0

fixed version: 6.3_p20220521-r1

NVD - CVE-2023-29491

wiz suggested remediation: apk upgrade ncurses-libs

===================================================================================

package name: ncurses-terminfo-base

current version: 6.3_p20220521-r0

fixed version: 6.3_p20220521-r1

NVD - CVE-2023-29491

wiz suggested remediation: apk upgrade ncurses-terminfo-base

===================================================================================

package name: openssl

current version: 1.1.1s-r0

fixed version: 1.1.1t-r0, 1.1.1u-r0, 1.1.1t-r1

NVD - CVE-2023-0215

NVD - CVE-2023-0286

NVD - CVE-2023-2650

NVD - CVE-2022-4450

NVD - CVE-2023-0464

wiz suggested remediation: apk upgrade openssl

===================================================================================

fix date: 01/24/2023

due date: 16.10.2023

Dmitrey Gurevich
July 6, 2023 at 7:56 AM
Edited

container hostpath-provisioner has vulnerable packages

severity: high

path: /hostpath-provisioner

package name: github.com/prometheus/client_golang

current version: 1.11.0

fixed version: 1.11.1

NVD - cve-2022-21698

wiz suggested remediation: go get -u github.com/prometheus/client_golang

==================================================================================

package name: golang.org/x/net

current version: 0.0.0-20220114011407-0dd24b26b47d

fixed version: 0.0.0-20220906165146-f3363e06e74c, 0.7.0

NVD - cve-2022-27664

NVD - cve-2022-41723

wiz suggested remediation: go get -u golang.org/x/net

==================================================================================

package name: golang.org/x/text

current version: 0.3.7

fixed version: 0.3.8

NVD - CVE-2022-32149

wiz suggested remediation: go get -u golang.org/x/text

==================================================================================

package name: gopkg.in/yaml.v3

current version: 3.0.0-20210107192922-496545a6307b

fixed version: 3.0.0-20220521103104-8f96da9f5d5e

NVD - CVE-2022-28948

wiz suggested remediation: go get -u gopkg.in/yaml.v3

===================================================================================

fix date: 16.05.2023

due date: 16.09.2023

Dmitrey Gurevich
July 6, 2023 at 7:19 AM
Edited

Wiz container scan 28.06.23 https://hpe.sharepoint.com/:x:/s/Engineering/ESnwnCkacmJPiMv92-5F7DYB2aTPGseD5g9GCfityPLkKA?e=y0tcot - Connect your OneDrive account

container coredns has vulnerable packages

severity: high

path: /coredns

package name: golang.org/x/net

current version: 0.0.0-20220722155237-a158d28d115b

NVD - cve-2022-27664

fixed version: 0.0.0-20220906165146-f3363e06e74c

NVD - CVE-2022-32149

fixed version: 0.1.1-0.20221104162952-702349b0e862

NVD - cve-2022-41723

fixed version: 0.7.0

wiz suggested remediation: go get -u golang.org/x/net

======================================================================

package name: golang.org/x/text

NVD - CVE-2022-32149

current version: 0.3.7

fixed version: 0.3.8

wiz suggested remediation: go get -u golang.org/x/text

======================================================================

Introspection Report

inspection-report-20230717_141007.tar.gz
@ktsakalozos
Copy link
Member

Hi @maxshlain thank you for pointing out these issues. We have introduced checks that surface these issues and we are addressing them as we move forward.

@maxshlain
Copy link
Author

Hi @ktsakalozos ! Thanks for the response. Can you please share with us more details about your plans? We are trying to reduce the number of known CVEs in our clusters. So before going to mess with microk8s internal containers we wanted to know if these issues are going to be addressed anytime soon.

@ktsakalozos
Copy link
Member

Hi @maxshlain,

Every PR triggers a job that scans for vulnerabilities the repository of the project, the produced charm and some container core images.

Any CVEs that have to do with the base system used in the snap are addressed when Ubuntu addresses them.

CVEs related to k8s services are addressed by the upstream project, and we package them and release them in patch releases. Patch releases are (unless the users has disabled snap refreshes) applied transparently to the user when the snap refreshes.

Issues we find in workload containers are normally addressed in the main branch (see for example the updates on coredns, ingress and metrics server [2]) and need to backported to the supported versions of MicroK8s. This backporting however needs to be done in a a manner that does not break any users and/or backwards compatibility.

So to your question, yes some of the CVEs have been addressed in the main branch but the backporting is lagging behind.

[1] Scanning job: https://github.com/canonical/microk8s/blob/master/.github/workflows/build-snap.yml#L195
[2] https://github.com/canonical/microk8s/blob/master/.github/workflows/build-snap.yml#L195

@ISAF87
Copy link

ISAF87 commented Oct 12, 2023

Does the same apply for the microk8s addons? eg Grafana in the observability addon?

@stale Stale
Copy link

stale bot commented Sep 6, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the inactive label Sep 6, 2024
@stale stale bot closed this as completed Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inactive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxshlain @ktsakalozos @ISAF87