Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

7 High Security vulnerability on latest CSI-attacher:v4.3.0 sidecar image #459

Closed
praveenkprabhakaran opened this issue Jul 12, 2023 · 7 comments
Closed

7 High Security vulnerability on latest CSI-attacher:v4.3.0 sidecar image #459

praveenkprabhakaran opened this issue Jul 12, 2023 · 7 comments
Assignees
@coulof

Comments

@praveenkprabhakaran
Copy link

The following 7 high severity CVEs, which are listed in the prisma cloud's container image scan report and they were just released along with CSI powerflex version 2.7.0. Are there any solutions for these vulnerabilities flagged against "csi-attacher:v4.3.0" sidecar image ? If anyone encounters these vulnerabilities , Please provide advice on how to address these vulnerabilities.

CVE-2023-29400
CVE-2023-29405
CVE-2023-24540
CVE-2023-29404
CVE-2023-24539
CVE-2023-29403
CVE-2023-29402

Detailed description of above CVEs:-

"CVE-2023-29400": [
{
"cve": "CVE-2023-29400",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.4, 1.19.9",
"fixDate": 1684793000,
"desc": "Templates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29400"
}
],
"CVE-2023-29405": [
{
"cve": "CVE-2023-29405",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.5, 1.19.10",
"fixDate": 1686927000,
"desc": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405"
}
],
"CVE-2023-24540": [
{
"cve": "CVE-2023-24540",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.4, 1.19.9",
"fixDate": 1684793000,
"desc": "Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\n\\f\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540"
}
],
"CVE-2023-29404": [
{
"cve": "CVE-2023-29404",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.5, 1.19.10",
"fixDate": 1686927000,
"desc": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404"
}
],
"CVE-2023-24539": [
{
"cve": "CVE-2023-24539",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.4, 1.19.9",
"fixDate": 1684793000,
"desc": "Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a \'/\' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-24539"
}
],
"CVE-2023-29403": [
{
"cve": "CVE-2023-29403",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.5, 1.19.10",
"fixDate": 1686899000,
"desc": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403"
}
],
"CVE-2023-29402": [
{
"cve": "CVE-2023-29402",
"packageName": "go",
"packageVersion": "1.20.3",
"severity": "High",
"actionable": true,
"fixedInVersion": "fixed in 1.20.5, 1.19.10",
"fixDate": 1686942000,
"desc": "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).",
"type": "image",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29402"
}
]
},
@praveenkprabhakaran
Copy link
Author

What happened:
The following 7 high severity CVEs, which are listed in the prisma cloud's container image scan report and they were just released along with CSI powerflex version 2.7.0. Are there any solutions for these vulnerabilities flagged against "csi-attacher:v4.3.0" sidecar image ? If anyone encounters these vulnerabilities , Please provide advice on how to address these vulnerabilities.
[CVE-2023-29400]

[CVE-2023-29405]
[CVE-2023-24540]

[CVE-2023-29404]

[CVE-2023-24539]

[CVE-2023-29403]
[CVE-2023-29402]

What you expected to happen:
we would like to know how to address these vulnerabilities. 
Prisma should not find any HIGH, CRITICAL, MEDIUM CVEs when scanning artifacts.

How to reproduce it:
Can scan this csi sidecar image CSI-attacher:v4.3.0 through prism cloud container image scanner.
 
Anything else we need to know?:
Environment:
OS version for node
RHEL8

K8s version used
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.0", GitCommit:"1b4df30b3cdfeaba6024e81e559a6cd09a089d65", GitTreeState:"clean", BuildDate:"2023-04-11T17:04:23Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.6-mirantis-1", GitCommit:”@****, GitTreeState:"clean", BuildDate:"2022-09-22T00:34:29Z", GoVersion:"go1.18.6", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.27) and server (1.24) exceeds the supported minor version skew of +/-1

Scanning Tool Used: Prisma Cloud

@coulof
Copy link

coulof commented Aug 1, 2023

/assign

@coulof coulof mentioned this issue Aug 2, 2023
Merged
@coulof
Copy link

coulof commented Aug 2, 2023

Thanks @praveenkprabhakaran for reporting these.

From my point of view, only CVE-2023-29403 might be meaningful in the context of the execution of the external-attacher.

Once that PR is merged kubernetes-csi/csi-release-tools#231 ; the future releases of the CSI sidecars won't be affected by above CVEs.

@coulof coulof mentioned this issue Aug 3, 2023
Closed
@coltonfreeman26
Copy link

Good day all,
I figured I would use this issue instead of opening a new one, but with version 4.4.2 there are more findings in regards to the golang version 1.20.5. All of which are resolved with version 1.20.10. Scan tools used, Anchore and Twistlock.

CVE-2023-29406
CVE-2023-29409
CVE-2023-39318
CVE-2023-39319
CVE-2023-39323
CVE-2023-39325

Please let me know if you need more info.

@msau42
Copy link
Collaborator

msau42 commented Dec 28, 2023

We have released updated versions of v4.4.x to address CVE issues. I would recommend upgrading to the latest. Unfortunately CVE patching is a manual process and if you need fixes for older supported minors please send PRs.

@jsafrane
Copy link
Contributor

/close

@k8s-ci-robot
Copy link
Contributor

@jsafrane: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@coulof coulof

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jsafrane @k8s-ci-robot @msau42 @coulof @coltonfreeman26 @praveenkprabhakaran