autoscaler
autoscaler copied to clipboard
kubernetes
Image scan has detect CVE-2021-3538
Hi, trivy image scanner has detect 1 critical vulnerability in the latest version:
trivy image k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0
2022-02-25T10:24:50.270+0100 INFO Detected OS: debian
2022-02-25T10:24:50.270+0100 INFO Detecting Debian vulnerabilities...
2022-02-25T10:24:50.270+0100 INFO Number of language-specific files: 1
2022-02-25T10:24:50.270+0100 INFO Detecting gobinary vulnerabilities...
k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0 (debian 11.2)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
cluster-autoscaler (gobinary)
=============================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 1)
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538 | CRITICAL | v1.2.0 | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs |
| | | | | | generated via insecure randomness |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3538 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
| k8s.io/kubernetes | CVE-2020-8554 | MEDIUM | v1.23.0 | | kubernetes: MITM using |
| | | | | | LoadBalancer or ExternalIPs |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8554 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
Could you please fix this?
Which component are you using?:
cluster-autoscaler
What version of the component are you using?:
Component version: image-tag: v1.23.0 Chart-Version: 9.15.0
What k8s version are you using (kubectl version)?:
AWS EKS 1.21
What environment is this in?:
AWS EKS
What did you expect to happen?:
No critical vulnerabilites
What happened instead?:
1 critical vulnerability
How to reproduce it (as minimally and precisely as possible):
trivy image k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0
I've made a little research about this bug and want to add more context into this issue
go mod why github.com/satori/go.uuid
# github.com/satori/go.uuid
k8s.io/autoscaler/cluster-autoscaler/cloudprovider/alicloud/alibaba-cloud-sdk-go/sdk/utils
github.com/satori/go.uuid
So we need to update alibaba-cloud-sdk-go to solve this issue. alibaba-cloud-sdk-go was vendored in 2018 in this repo (962826e46aecb66be71c16df81a587dba357f9d1). New versions of alibaba-cloud-sdk-go doesn't contain such package as a dependency.
I can make a PR to update alibaba-cloud-sdk-go but I can't test it.
@ringtail Can you then test my PR or you can update this SDK by yourself?
The v1.21.2 image (EKS 1.21 is the last version available atm on AWS) and v1.22.2 also have the CVE-2021-3538 ⚠️
$ trivy version
Version: 0.25.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-03-31 12:11:44.661302354 +0000 UTC
NextUpdate: 2022-03-31 18:11:44.661301954 +0000 UTC
DownloadedAt: 2022-03-31 13:01:36.478794654 +0000 UTC
$ trivy image --no-progress k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.2
2022-03-31T13:02:23.600Z INFO Detected OS: debian
2022-03-31T13:02:23.600Z INFO Detecting Debian vulnerabilities...
2022-03-31T13:02:23.601Z INFO Number of language-specific files: 1
2022-03-31T13:02:23.601Z INFO Detecting gobinary vulnerabilities...
k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.2 (debian 11.1)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
cluster-autoscaler (gobinary)
=============================
Total: 8 (UNKNOWN: 1, LOW: 2, MEDIUM: 3, HIGH: 1, CRITICAL: 1)
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538 | CRITICAL | v1.2.0 | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs |
| | | | | | generated via insecure randomness |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3538 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.4 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| k8s.io/kubernetes | CVE-2021-25741 | HIGH | v1.21.0 | 1.19.15, 1.20.11, 1.21.5, | kubernetes: Symlink exchange |
| | | | | 1.22.2 | can allow host filesystem access |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25741 |
+ +------------------+----------+ +-------------------------------------+---------------------------------------+
| | CVE-2020-8554 | MEDIUM | | | kubernetes: MITM using |
| | | | | | LoadBalancer or ExternalIPs |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8554 |
+ +------------------+ + +-------------------------------------+---------------------------------------+
| | CVE-2020-8561 | | | | kubernetes: Webhook |
| | | | | | redirect in kube-apiserver |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8561 |
+ +------------------+ + +-------------------------------------+---------------------------------------+
| | CVE-2021-25737 | | | 1.18.19, 1.19.10, 1.20.7, | kubernetes: Holes in EndpointSlice |
| | | | | 1.21.1 | Validation Enable Host Network Hijack |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25737 |
+ +------------------+----------+ +-------------------------------------+---------------------------------------+
| | CVE-2020-8562 | LOW | | 1.21.1, 1.21.1, 1.19.11, | kubernetes: Bypass of Kubernetes |
| | | | | 1.18.19, 1.18.19 | API Server proxy TOCTOU |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8562 |
+ +------------------+ + +-------------------------------------+---------------------------------------+
| | CVE-2021-25740 | | | | kubernetes: Endpoint & |
| | | | | | EndpointSlice permissions allow |
| | | | | | cross-Namespace forwarding |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25740 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
$ trivy image --no-progress k8s.gcr.io/autoscaling/cluster-autoscaler:v1.22.2
2022-03-31T13:02:31.667Z INFO Detected OS: debian
2022-03-31T13:02:31.667Z INFO Detecting Debian vulnerabilities...
2022-03-31T13:02:31.667Z INFO Number of language-specific files: 1
2022-03-31T13:02:31.667Z INFO Detecting gobinary vulnerabilities...
k8s.gcr.io/autoscaling/cluster-autoscaler:v1.22.2 (debian 11.1)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
cluster-autoscaler (gobinary)
=============================
Total: 6 (UNKNOWN: 1, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 1)
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538 | CRITICAL | v1.2.0 | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs |
| | | | | | generated via insecure randomness |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3538 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.6 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| k8s.io/kubernetes | CVE-2021-25741 | HIGH | v1.22.0 | 1.19.15, 1.20.11, 1.21.5, | kubernetes: Symlink exchange |
| | | | | 1.22.2 | can allow host filesystem access |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25741 |
+ +------------------+----------+ +-------------------------------------+---------------------------------------+
| | CVE-2020-8554 | MEDIUM | | | kubernetes: MITM using |
| | | | | | LoadBalancer or ExternalIPs |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8554 |
+ +------------------+ + +-------------------------------------+---------------------------------------+
| | CVE-2020-8561 | | | | kubernetes: Webhook |
| | | | | | redirect in kube-apiserver |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8561 |
+ +------------------+----------+ +-------------------------------------+---------------------------------------+
| | CVE-2021-25740 | LOW | | | kubernetes: Endpoint & |
| | | | | | EndpointSlice permissions allow |
| | | | | | cross-Namespace forwarding |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25740 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
According to our Trivy scans, the latest image for 1.24 is also affected. Would it be possible to make a hotfix release and generate new images?
Hi, is there a chance we could get a new minor release + image generated with the vulnerability fix?
Useless ping, but since this has been opened more than 5 months ago... I am aware that full testing of the required changes seems to be difficult as it requires validation on a specific cloud provider (Alicloud) which I don't use unfortunately.
I fixed this issue, but still need some time to do full tests. I'll do my best to PR no later than next Wednesday.
This CVE is the only one as all others have been fixed, it would be great if this one can be crossed of the list.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
