Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address critical vulnerabilities #218

Closed
hawksight opened this issue Jan 30, 2024 · 2 comments · Fixed by #219
Closed

Address critical vulnerabilities #218

hawksight opened this issue Jan 30, 2024 · 2 comments · Fixed by #219

Comments

@hawksight
Copy link
Contributor

Hey thanks for the project. I was just checking out the latest image v0.4.41 which is now about 6 months ago and noticed a few vulnerabilities. I think they are probably addressable with a new build / image update as most of them seem to be in the base image.

Here's a trivy output for reference:

ghcr.io/kastenhq/kubestr:v0.4.41 (alpine 3.18.2)
================================================
Total: 19 (UNKNOWN: 0, LOW: 2, MEDIUM: 12, HIGH: 2, CRITICAL: 3)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2022-48174 │ CRITICAL │ fixed  │ 1.36.1-r0         │ 1.36.1-r1     │ stack overflow vulnerability in ash.c leads to arbitrary    │
│               │                │          │        │                   │               │ code execution                                              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-48174                  │
├───────────────┤                │          │        │                   │               │                                                             │
│ busybox-binsh │                │          │        │                   │               │                                                             │
│               │                │          │        │                   │               │                                                             │
│               │                │          │        │                   │               │                                                             │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2023-5363  │ HIGH     │        │ 3.1.1-r1          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-2975  │ MEDIUM   │        │                   │ 3.1.1-r2      │ openssl: AES-SIV cipher implementation contains a bug that  │
│               │                │          │        │                   │               │ causes it to ignore...                                      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-3446  │          │        │                   │ 3.1.1-r3      │ openssl: Excessive time spent checking DH keys and          │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-3817  │          │        │                   │ 3.1.2-r0      │ OpenSSL: Excessive time spent checking DH q parameter value │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-5678  │          │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or       │
│               │                │          │        │                   │               │ checking excessively long X9.42...                          │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6129  │          │        │                   │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector        │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │ LOW      │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2023-5363  │ HIGH     │        │                   │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-2975  │ MEDIUM   │        │                   │ 3.1.1-r2      │ openssl: AES-SIV cipher implementation contains a bug that  │
│               │                │          │        │                   │               │ causes it to ignore...                                      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-3446  │          │        │                   │ 3.1.1-r3      │ openssl: Excessive time spent checking DH keys and          │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-3817  │          │        │                   │ 3.1.2-r0      │ OpenSSL: Excessive time spent checking DH q parameter value │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-5678  │          │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or       │
│               │                │          │        │                   │               │ checking excessively long X9.42...                          │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6129  │          │        │                   │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector        │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │ LOW      │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2022-48174 │ CRITICAL │        │ 1.36.1-r0         │ 1.36.1-r1     │ stack overflow vulnerability in ash.c leads to arbitrary    │
│               │                │          │        │                   │               │ code execution                                              │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-48174                  │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

kubestr (gobinary)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.12.0           │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                  ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-3978  │ MEDIUM   │        │                   │ 0.13.0        │ golang.org/x/net/html: Cross site scripting                  │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                  ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                   │ 0.17.0        │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                  │                │          │        │                   │               │ to a DDoS attack...                                          │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

All the critical vulnerabilities look like they have fixes.
Having these fixed makes it easier to run in more secure environments as often the barrier to entry is no critical vulns, or atleast none that have fixes.

I'm happy to have a go at fixing this if you can point me to some guidance on building the project. (Similar question to #217 ).
hawksight added a commit to hawksight/kubestr that referenced this issue Jan 31, 2024
@hawksight
feat: Container image updates
954438d 
- Builder image moved to go 1.21 as per go.mod
- Runtime image upgraded to alpine 3.19

Hopfully fixes kastenhq#218.

Signed-off-by: Peter Fiddes <[email protected]>
@hawksight hawksight mentioned this issue Jan 31, 2024
Merged
julio-lopez pushed a commit that referenced this issue Feb 1, 2024
@hawksight
feat: Container image updates (#219)
6d642c2 
- Builder image moved to go 1.21 as per go.mod
- Runtime image upgraded to alpine 3.19

Hopfully fixes #218.

Signed-off-by: Peter Fiddes <[email protected]>
@hawksight
Copy link
Contributor Author

TY @julio-lopez for reviewing and closing.
Might the project cut a new release soon to include the changed in #219?

@julio-lopez
Copy link
Contributor

@bathina2 @pavannd1 ^^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Container image updates hawksight/kubestr
2 participants
@julio-lopez @hawksight