Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 #271

Closed
janezhen08 opened this issue Nov 17, 2023 · 14 comments
Closed

CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 #271

janezhen08 opened this issue Nov 17, 2023 · 14 comments
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project

Comments

@janezhen08
Copy link

janezhen08 commented Nov 17, 2023
edited
Loading

Hello Team,

We are using this image: quay.io/brancz/kube-rbac-proxy:v0.15.0 and inside of this image, we have scanned out two high security vulnerabilities. Could you help fix them?

 grype quay.io/brancz/kube-rbac-proxy:v0.15.0
 ✔ Vulnerability DB        [updated]
New version of grype is available: 0.73.2 (currently running: 0.63.0)
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [95 packages]
 ✔ Scanning image...       [6 vulnerabilities]
   ├── 0 critical, 4 high, 2 medium, 0 low, 0 negligible
   └── 4 fixed

NAME                                                                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.20.0    0.46.0    go-module  GHSA-8pgv-569h-w5rw  High      
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp                v0.20.0    0.44.0    go-module  GHSA-rcjv-mgp8-qvmr  High      
google.golang.org/grpc                                                       v1.47.0    1.56.3    go-module  GHSA-m425-mq94-257g  High      
google.golang.org/grpc                                                       v1.47.0    1.56.3    go-module  GHSA-qppj-fm5r-hxr3  Medium  


trivy image quay.io/brancz/kube-rbac-proxy:v0.15.0                                      
2023-11-17T10:13:31.134+0800	INFO	Vulnerability scanning is enabled
2023-11-17T10:13:31.134+0800	INFO	Secret scanning is enabled
2023-11-17T10:13:31.134+0800	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-17T10:13:31.134+0800	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-11-17T10:13:35.689+0800	INFO	Detected OS: debian
2023-11-17T10:13:35.689+0800	INFO	Detecting Debian vulnerabilities...
2023-11-17T10:13:35.690+0800	INFO	Number of language-specific files: 1
2023-11-17T10:13:35.690+0800	INFO	Detecting gobinary vulnerabilities...

quay.io/brancz/kube-rbac-proxy:v0.15.0 (debian 11.8)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/kube-rbac-proxy (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                           Title                            │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108      │ HIGH     │ v0.20.0           │ 0.46.0                 │ otelgrpc DoS vulnerability due to unbound cardinality      │
│ rg/grpc/otelgrpc                                             │                     │          │                   │                        │ metrics                                                    │
│                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-47108                 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │                   ├────────────────────────┼────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142      │          │                   │ 0.44.0                 │ opentelemetry: DoS vulnerability in otelhttp               │
│ tp                                                           │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-45142                 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ GHSA-m425-mq94-257g │          │ v1.47.0           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                   │
│                                                              │                     │          │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g          │
│                                                              ├─────────────────────┼──────────┤                   ├────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-44487      │ MEDIUM   │                   │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│                                                              │                     │          │                   │                        │ to a DDoS attack...                                        │
│                                                              │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                 │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────────┘

You need to upgrade go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L69 from v0.20.0 to v0.46.0 and also go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L70 from v0.20.0 to v0.44.0 and google.golang.org/grpc in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L91 from v1.47.0 to v1.56.3

Thanks

Jane
@ibihim
Copy link
Collaborator

ibihim commented Dec 12, 2023

Thx for reporting this to us. We will create an update.

Most of the times the CVEs don't impact us directly, as we don't use those code paths.

@ibihim
Copy link
Collaborator

ibihim commented Dec 12, 2023

Those are indirect dependencies. I would need to bump k8s.io, which would lead to a potential err on everyone using deprecated flags. I need to check how to resolve this.

@janezhen08
Copy link
Author

thanks so much for working on this, appreciated.

@ibihim
Copy link
Collaborator

ibihim commented Dec 20, 2023

Hm, as I am working on that, I am surprised that it claims that we have go.opentelemetry.io/contrib/instrumentation v0.20.0.

We have already a replace directive to bump it to v0.44.0. So CVE-2023-45142 shouldn't be reported. I hope your tool interprets replace directives.

@ibihim
Copy link
Collaborator

ibihim commented Dec 20, 2023

The CVEs are related to the HTTP/2 issue, right? We added the capability to disable HTTP/2.

@janezhen08
Copy link
Author

The tool: trivy or grype are open source vulnerabilities scan tools, you can install them on your machine and scan the image.

Not sure if you can upgrade the dependency according to below instructions?

image

thanks

Jane

@ibihim
Copy link
Collaborator

ibihim commented Feb 2, 2024

Oh, thanks for the hint. I will check them out!

@ibihim
Copy link
Collaborator

ibihim commented Feb 7, 2024

#276, should solve it.

@Uttkarsh
Copy link

With v0.16.0 only otelgrpc remained as go.mod has v0.42.0 and fix is in v0.46.0
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH │ v0.20.0 │ 0.46.0 │ otelgrpc DoS vulnerability due to unbound cardinality │ │ rg/grpc/otelgrpc

@janezhen08
Copy link
Author

@ibihim there is still one high security vuln which needs to be fixed:

grype quay.io/brancz/kube-rbac-proxy:v0.16.0
 ✔ Vulnerability DB                [updated]  
 ✔ Parsed image                                                                                   sha256:2e4f0cff00eb27ccf559d9e80b7f4f46c673dcab0979aa1838718df415d4c1ee
 ✔ Cataloged packages              [101 packages]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
[0040]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME                                                                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.42.0    0.46.0    go-module  GHSA-8pgv-569h-w5rw  High

Affected code: https://github.com/brancz/kube-rbac-proxy/blob/release-0.16.0/go.mod#L72

Could you help fix it?

thanks

Jane

@ibihim
Copy link
Collaborator

ibihim commented Mar 18, 2024
edited
Loading

Hi,

I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.

I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).

It is especially annoying to fix if upstream doesn't care too:
kubernetes/kubernetes#121338 (comment)

@ibihim ibihim added the not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project label Mar 18, 2024
@ibihim
Copy link
Collaborator

ibihim commented Mar 25, 2024

Should be fixed with: #287

@cam0200
Copy link

cam0200 commented May 16, 2024

@ibihim it looks like CVE-2023-45142 reappeared in v0.17.1 as the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp version in go.mod decreased from 0.44.0 to 0.35.1

v0.17.0 with fixed version
v0.17.1 downgraded to 0.35.1

@ibihim
Copy link
Collaborator

ibihim commented Jun 5, 2024

Should be fixed. If not, please reopen. #298

@ibihim ibihim closed this as completed Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Uttkarsh @ibihim @janezhen08 @cam0200