Multiple CVE detected in latest "helm-chart-4.1.0 | ingress-nginx/controller:v1.2.0" release

[DataMinded]

Issue Details
Multiple CVE detected in latest "helm-chart-4.1.0" release

Image k8s.gcr.io/ingress-nginx/controller@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f918
ID sha256:04fcc70194086eb9118c8a015dc455c0f7f0249b10346f8b03f97d86ae99fb0c
OS distribution Alpine Linux v3.14
OS release3.14.6
Digest sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185

Severity : critical
Package : go
Description : go version 1.17.6 has 5 vulnerabilities

CVE-2022-23806
Fixed in: 1.17.7, 1.16.14

CVE-2022-24675
Fixed in: 1.17.9, 1.8.1

CVE-2022-24921
Fixed in: 1.17.8, 1.16.15

CVE-2022-23772
Fixed in: 1.17.7, 1.16.14

CVE-2022-23773
Fixed in: 1.17.7, 1.16.14

---

Severity : high
Package : ncurses
Description : ncurses (used in ncurses-libs, ncurses-terminfo-base) version 6.2_p20210612-r0 has 1 vulnerability

CVE-2022-29458
Fixed in: 6.3_p20211120-r0

---

Severity : low
Package : curl
Description : curl (used in libcurl, curl) version 7.79.1-r0 has 4 vulnerabilities

CVE-2022-27774
Fixed in: 7.79.1-r1

CVE-2022-27775
Fixed in: 7.79.1-r1

CVE-2022-27776
Fixed in: 7.79.1-r1

CVE-2022-22576
Fixed in: 7.79.1-r1

Can someone help me out so we can get a new release , seems a few packages need bumping, help appreciated.

[longwuyuan]

Grype confirms it. Please wait till maintainers schedule the update ;

✔ Vulnerability DB [updated]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [120 packages]
✔ Scanned image [14 vulnerabilities]
[0023] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27774 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27775 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-22576 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27776 Unknown
google.golang.org/protobuf v1.28.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.28.0 go-module CVE-2015-5237 High
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-22576 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27774 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27775 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27776 Unknown

/triage-accepted
/priority important-soon

[longwuyuan]

/triage accepted

[rikatz]

We are going to make a new release to fix some bugs, and this will enter in this new release.

[tomasAlabes]

@rikatz could you confirm if the latest release 1.3.0 / 4.2.0 contain these fixes? I couldn't find any CVE reference in the release notes.

[DataMinded]

@rikatz @tomasAlabes
The new 4.2.0 | v1.3.0 definitly looks better, but there is a new CVE-2022-30065 in there.

In short : busybox (used in ssl_client, busybox) version 1.35.0-r14 has 1 vulnerability,
bumping to busybox 1.35.0-r15 should fix the problem.

Who should we notify for a new build ?
Would be nice to see a perfect vulnerabilities score in prisma cloud for this image

[tao12345666333]

@DataMinded Which version of Alpine Linux contains this fix?

[DataMinded]

@tao12345666333

I found this alpinelinux/docker-alpine#264 (comment) which says the CVE-2022-30065 is still present in the 3.16.1 image

also as per this alpinelinux/docker-alpine#264 (comment)

alpine 3.16.1 is supposed to fix GHSA-gq73-rh3m-3php according to the release notes : https://www.alpinelinux.org/posts/Alpine-3.16.1-released.html

but still may be present . I am unsure about 3.16.1 having a fix

[longwuyuan]

% grype `k -n ingress-nginx get po ingress-nginx-controller-6bf7bc7f94-8f5s8 -o yaml |  grep -i registry | grep -v imageID | awk '{print $2}'`                                                                                                      
 ✔ Vulnerability DB        [updated]                                                                                                                                                                                                                
 ✔ Parsed image                                                                                                                                                                                                                                     
 ✔ Cataloged packages      [120 packages]                                                                                                                                                                                                           
 ✔ Scanned image           [5 vulnerabilities]                                                                                                                                                                                                      
[0031]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none                                                                                                     
NAME                        INSTALLED   FIXED-IN    TYPE       VULNERABILITY   SEVERITY                                                                                                                                                             
busybox                     1.35.0-r14  1.35.0-r15  apk        CVE-2022-30065  High                                                                                                                                                                 
google.golang.org/protobuf  v1.28.0                 go-module  CVE-2015-5237   High                                                                                                                                                                 
google.golang.org/protobuf  v1.28.0                 go-module  CVE-2021-22570  High                                                                                                                                                                 
ssl_client                  1.35.0-r14  1.35.0-r15  apk        CVE-2022-30065  High         
% docker run  -it alpine:3.16.1 sh   
/ # cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.16.1
PRETTY_NAME="Alpine Linux v3.16"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ # apk list | grep -i busybox
busybox-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]
ssl_client-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]
/

[LianwMS]

I also found that NEW version 1.3.0 is impacted by vulnerability of busybox with CVE-2022-30065

[longwuyuan]

We have updated to alpine v3.16.1 with patches for busybox & ssl_client. It will be released later.

[DataMinded]

We have updated to alpine v3.16.1 with patches for busybox & ssl_client. It will be released later.

Sorry to ask like cause u guys are probably busy with other stuff, but
Is this not an version bump release hotfix ?

As it concerns a security issue would it not be the best path for a fast release with a fix. (patch/hotfix release , not sure what the correct terminology is here)
as for new features I understand because of the code freeze, there is a point for it, but as a security fix we should try to get it out as soon as its available.

Just trying to better understand the working method here. Thnx in advance

[longwuyuan]

@DataMinded true, security based fixes should be sooner than later.

In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.

The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.

[DataMinded]

@DataMinded true, security based fixes should be sooner than later.

In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.

The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.

@longwuyuan Thnx allot for the explanation. Indeed I do not know the full context to make that distinction, but that sounds like a good reasoning.

[kgusarov]

@DataMinded true, security based fixes should be sooner than later.

In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.

The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.

Thanks! I understand your pain in cherrypicking stuff. Hope to see fixes soon.

P.S. From time to time we experience pain (especially in Aliyun Cloud) when Security Center blindly creates Critical Security Incident based on the findings and we have to patch everything ASAP (or at least describe, why busybox won't affect us and provide at least some virtual ETA to fix).

[longwuyuan]

Yeah, my guess is that the ssl_client vulnerability is causing the busybox CVE as well but not absolutely sure. Because busybox itself is a bunch of stuff. openssl is patches and this CVE points at the ssl_client. So my guess is that the ssl_client binaries do not initiate any connection to out-of-cluster destinations. Unless someone tries to connect to something on internet from inside the controller (like a download instruction etc)

Understood the cloud problem. We aim to release as soon as feasible.

[DataMinded]

Just as a note, the 4.2.1 release does not contain a fix for this

[longwuyuan]

Yes, it will appear in app version upgrade. This one is just chart version upgrade.

[LianwMS]

Hi @longwuyuan May I know when will the fix version be released?

[DataMinded]

Just as a note, Release 4.2.2 & 4.2.3 still do NOT contain a fix for this CVE

[longwuyuan]

if everything looks good, there will be a discussion on making the release this week or next week.

[LianwMS]

Any updated?

[longwuyuan]

Will start release process. Thanks, ; Long

…

On Fri, 2 Sep, 2022, 8:19 AM Liang Wang, ***@***.***> wrote: Any updated? — Reply to this email directly, view it on GitHub <#8520 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGZVWV3BNBKDKCN7GSY5TDV4FTMZANCNFSM5UUI63BQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[DataMinded]

The controller-v1.3.1 does not contain any CVE's according to Prisma Cloud , Yay
Now we wait for a chart release

[DataMinded]

Guess we can close this issue now,

controller-v1.3.1 / helm-chart-4.2.5 resolves the CVE's addressed in OP

Thanks for all the help & comments