Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CRITICAL CVEs #110

Merged
merged 4 commits into from
Jul 25, 2024
Merged

Fix CRITICAL CVEs #110

merged 4 commits into from
Jul 25, 2024

Conversation

tuladhar
Copy link
Contributor

@tuladhar tuladhar commented Jul 24, 2024

Important

The CVEs for Go stdlib library will be handled separately, as it's coming from Go version used by architect orb.

Towards https://github.com/giantswarm/giantswarm/issues/31374

Summary

This PR fixes 3 CRITICAL CVEs in dex library by upgrading to v2.35.0.

go get -v github.com/dexidp/dex@e4bceef9f3d1ff97a12fbbdb464047c5f1fac8b5
go mod tidy

Note

As recommend by maintainers of dex, the best way to upgrade dex library is to use commit hash via go get.

Scanned image: docker.io/giantswarm/dex-operator:0.12.1

dex-operator (gobinary)

Total: 4 (CRITICAL: 4)

┌───────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │  Installed Version   │  Fixed Version  │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed  │ v2.13.0+incompatible │ 2.27.0          │ Critical security issues in XML encoding in                 │
│                       │                │          │        │                      │                 │ github.com/dexidp/dex                                       │
│                       │                │          │        │                      │                 │ https://avd.aquasec.com/nvd/cve-2020-26290                  │
│                       ├────────────────┤          │        │                      │                 ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-27847 │          │        │                      │                 │ dexidp/dex: authentication bypass in saml authentication    │
│                       │                │          │        │                      │                 │ https://avd.aquasec.com/nvd/cve-2020-27847                  │
│                       ├────────────────┤          │        │                      ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-39222 │          │        │                      │ 2.35.0          │ dexidp: gaining access to applications accepting that token │
│                       │                │          │        │                      │                 │ https://avd.aquasec.com/nvd/cve-2022-39222                  │
├───────────────────────┼────────────────┤          │        ├──────────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                │ CVE-2024-24790 │          │        │ 1.21.3               │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for  │
│                       │                │          │        │                      │                 │ IPv4-mapped IPv6 addresses                                  │
│                       │                │          │        │                      │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└───────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Release Checklist

  • Test dex-operator in golem, and ensure it's working.

@tuladhar tuladhar self-assigned this Jul 24, 2024
@tuladhar tuladhar changed the title Bump dex library to v2.27.0 Fix CRITICAL CVEs in dex library Jul 24, 2024
@tuladhar
Copy link
Contributor Author

tuladhar commented Jul 24, 2024

Important

It still reports CVEs because Dex library Go module doesn't use semver and version mismatches with trivy database, see here:

However, we will no longer be affected by CVE.

Security team should add these CVEs to .trivyignore, as the Dex library version we are using is actually from v2.35.0.

trivy image --quiet --severity CRITICAL quay.io/giantswarm/dex-operator:0.12.1-325f6ad34116ff1df5d86afb34ee2d5b5d6ab319
dex-operator (gobinary)

Total: 4 (CRITICAL: 4)

┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version          │  Fixed Version  │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed  │ v0.0.0-20221003101923-e4bceef9f3d1 │ 2.27.0          │ Critical security issues in XML encoding in                 │
│                       │                │          │        │                                    │                 │ github.com/dexidp/dex                                       │
│                       │                │          │        │                                    │                 │ https://avd.aquasec.com/nvd/cve-2020-26290                  │
│                       ├────────────────┤          │        │                                    │                 ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-27847 │          │        │                                    │                 │ dexidp/dex: authentication bypass in saml authentication    │
│                       │                │          │        │                                    │                 │ https://avd.aquasec.com/nvd/cve-2020-27847                  │
│                       ├────────────────┤          │        │                                    ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-39222 │          │        │                                    │ 2.35.0          │ dexidp: gaining access to applications accepting that token │
│                       │                │          │        │                                    │                 │ https://avd.aquasec.com/nvd/cve-2022-39222                  │
├───────────────────────┼────────────────┤          │        ├────────────────────────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                │ CVE-2024-24790 │          │        │ 1.21.3                             │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for  │
│                       │                │          │        │                                    │                 │ IPv4-mapped IPv6 addresses                                  │
│                       │                │          │        │                                    │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

@tuladhar tuladhar marked this pull request as ready for review July 24, 2024 13:06
@tuladhar tuladhar requested a review from a team as a code owner July 24, 2024 13:06
@tuladhar
Copy link
Contributor Author

tuladhar commented Jul 24, 2024

✅ Deployed dex-operator on golem and seems to be functional:

dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:41Z    INFO    controller-runtime.metrics    Metrics server is starting to listen    {"addr": ":8080"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:41Z    INFO    setup    starting manager
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:41Z    INFO    Starting server    {"kind": "health probe", "addr": ":8081"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:41Z    INFO    starting server    {"path": "/metrics", "kind": "metrics", "addr": ":8080"}
dex-operator-68b78776d6-dxxlp I0724 17:23:41.758113       1 leaderelection.go:245] attempting to acquire leader lease giantswarm/bf139543.giantswarm...
dex-operator-68b78776d6-dxxlp I0724 17:23:58.816133       1 leaderelection.go:255] successfully acquired lease giantswarm/bf139543.giantswarm
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:58Z    DEBUG    events    dex-operator-68b78776d6-dxxlp_aa880e22-e9c5-43f0-b2e5-fbde675ce46a became leader    {"type": "Normal", "object": {"kind":"Lease","namespace":"giantswarm","name":"bf139543.giantswarm","uid":"147c1f23-0ffe-4198-bdab-28d5e7d89230","apiVersion":"coordination.k8s.io/v1","resourceVersion":"1222852956"}, "reason": "LeaderElection"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:58Z    INFO    Starting EventSource    {"controller": "app", "controllerGroup": "application.giantswarm.io", "controllerKind": "App", "source": "kind source: *v1alpha1.App"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:58Z    INFO    Starting EventSource    {"controller": "app", "controllerGroup": "application.giantswarm.io", "controllerKind": "App", "source": "kind source: *v1.Secret"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:23:58Z    INFO    Starting Controller    {"controller": "app", "controllerGroup": "application.giantswarm.io", "controllerKind": "App"}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:24:07Z    INFO    Starting workers    {"controller": "app", "controllerGroup": "application.giantswarm.io", "controllerKind": "App", "worker count": 1}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:24:08Z    INFO    controllers.App    Updated app Azure AD for Giant Swarm of type microsoft.    {"app": {"name":"dex-app","namespace":"giantswarm"}}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:24:08Z    INFO    controllers.App    Updated app Github for Giant Swarm of type github.    {"app": {"name":"dex-app","namespace":"giantswarm"}}
dex-operator-68b78776d6-dxxlp 2024-07-24T17:24:08Z    INFO    controllers.App    Updated default dex config secret for dex app instance.    {"app": {"name":"dex-app","namespace":"giantswarm"}}

✅ Tested dex auth flow via kubectl gs login api.golem.gaws.gigantic.io
✅ Verified the connectors in dex secret in MC

@tuladhar tuladhar changed the title Fix CRITICAL CVEs in dex library Fix CRITICAL CVEs Jul 24, 2024
@tuladhar tuladhar merged commit 6e134f9 into main Jul 25, 2024
6 checks passed
@tuladhar tuladhar deleted the security branch July 25, 2024 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants