Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities on V1.9 #855

Closed
tamilselvan1588 opened this issue Oct 10, 2024 · 12 comments · Fixed by #857
Closed

Vulnerabilities on V1.9 #855

tamilselvan1588 opened this issue Oct 10, 2024 · 12 comments · Fixed by #857

Comments

@tamilselvan1588
Copy link

tamilselvan1588 commented Oct 10, 2024
edited
Loading

we have identified some critical vulnerabilities in v1.9. Can you provide the solution to resolve the vulnerabilities

<style> </style>
Vulnerability ID Type Description
CVE-2022-1586 OS An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVE-2022-1587 OS An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVE-2022-37434 OS zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVE-2024-37371 OS In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
CVE-2021-46848 OS GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVE-2023-24540 go Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24538 go Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
CVE-2022-23806 go Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
CVE-2022-1586 OS An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
CVE-2022-1587 OS An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
CVE-2022-37434 OS zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
CVE-2024-37371 OS In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
CVE-2021-46848 OS GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVE-2023-24540 go Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24538 go Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
CVE-2022-23806 go Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
@tamilselvan1588 tamilselvan1588 changed the title Vulnerabilities on V Vulnerabilities on V1.19 Oct 10, 2024
@andyzhangx
Copy link
Member

what is this CVE? the latest version of smb csi driver is v1.16.0

@tamilselvan1588
Copy link
Author

tamilselvan1588 commented Oct 10, 2024
edited
Loading

We are currently using the following Helm version for the CSI Driver SMB. However, we have received several critical vulnerability alerts for this version.

Can you please guide us to resolve the vulnerabilities?

resource "helm_release" "csi_smb" {
name = "csi-driver-smb"
repository = "https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts"
chart = "csi-driver-smb"
namespace = "kube-system"
version = "v1.9.0"
}

@tamilselvan1588 tamilselvan1588 changed the title Vulnerabilities on V1.19 Vulnerabilities on V1.9 Oct 11, 2024
@tamilselvan1588
Copy link
Author

We have upgrade the csi-driver-smb to v1.16.0 but still there is a critical vulnerabilities. Can you help us to resolve the issue ?

<style> </style>
CVE-2024-24790 416 fail go critical net/netip 1.22.3   9.8 fixed in 1.21.11, 1.22.4

@andyzhangx
Copy link
Member

andyzhangx commented Oct 13, 2024
edited
Loading

does gcr.io/k8s-staging-sig-storage/smbplugin:canary work?

# trivy image --ignore-unfixed gcr.io/k8s-staging-sig-storage/smbplugin:canary
2024-10-13T01:07:42.495Z        INFO    Vulnerability scanning is enabled
2024-10-13T01:07:42.495Z        INFO    Secret scanning is enabled
2024-10-13T01:07:42.495Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2024-10-13T01:07:42.495Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2024-10-13T01:07:42.499Z        INFO    Detected OS: debian
2024-10-13T01:07:42.499Z        INFO    Detecting Debian vulnerabilities...
2024-10-13T01:07:42.519Z        INFO    Number of language-specific files: 1
2024-10-13T01:07:42.519Z        INFO    Detecting gobinary vulnerabilities...

gcr.io/k8s-staging-sig-storage/smbplugin:canary (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

# trivy image gcr.io/k8s-staging-sig-storage/smbplugin:canary | grep 24790
2024-10-13T03:41:29.068Z        INFO    Vulnerability scanning is enabled
2024-10-13T03:41:29.068Z        INFO    Secret scanning is enabled
2024-10-13T03:41:29.068Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2024-10-13T03:41:29.068Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2024-10-13T03:41:29.073Z        INFO    Detected OS: debian
2024-10-13T03:41:29.073Z        INFO    Detecting Debian vulnerabilities...
2024-10-13T03:41:29.088Z        INFO    Number of language-specific files: 1
2024-10-13T03:41:29.088Z        INFO    Detecting gobinary vulnerabilities...

@tamilselvan1588
Copy link
Author

i have upgraded the plugin version to 1.16 but one critical version is there. need your support to resolve the vulnerabilities on v1.16.

@andyzhangx
Copy link
Member

i have upgraded the plugin version to 1.16 but one critical version is there. need your support to resolve the vulnerabilities on v1.16.

@tamilselvan1588 what CVE are you hitting now?

@tamilselvan1588
Copy link
Author

i have upgraded the plugin version to 1.16 but one critical version is there. need your support to resolve the vulnerabilities on v1.16.

@tamilselvan1588 what CVE are you hitting now?

Here, the vulnerabilitie details.

<style> </style>
Repository Tag Distro CVE ID Result Type Severity Packages Source Package Package Version Package License CVSS Fix Status Grace Days Risk Factors Vulnerability Tags Description
sig-storage/smbplugin v1.16.0 debian-bookworm CVE-2024-24790 fail go critical net/netip 1.22.3   9.8 fixed in 1.21.11, 1.22.4 Attack complexity: low, Attack vector: network, Critical severity, DoS - High, Has fix, Recent vulnerability The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

@andyzhangx
Copy link
Member

it's related to kubernetes/k8s.io#6908 (comment), the golang version of this image build is still using 1.22.3, that's a common upstream image build issue, if you want to get it fixed quickly, you could build the image by yourself using fixed golang version.

@tamilselvan1588
Copy link
Author

Sure, thanks. i will try

@tamilselvan1588 tamilselvan1588 closed this as not planned Won't fix, can't repro, duplicate, stale Oct 17, 2024
@andyzhangx andyzhangx mentioned this issue Oct 20, 2024
Merged
4 tasks
@andyzhangx
Copy link
Member

@tamilselvan1588 this is fixed by #857, which uses go 1.22.5 to build image, pls try gcr.io/k8s-staging-sig-storage/smbplugin:canary again, thx

@kropiwnickij
Copy link

@andyzhangx is there a timeline to release v1.17 which includes fixes for above reported CVE's?

@andyzhangx
Copy link
Member

@andyzhangx is there a timeline to release v1.17 which includes fixes for above reported CVE's?

@kropiwnickij it should be in next month

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: build with go 1.22.5 to fix golang CVE andyzhangx/csi-driver-smb
3 participants
@andyzhangx @kropiwnickij @tamilselvan1588