CVEs found in calico/node

[jignesh01]

Our Security Scanning tools have identified CVE in one of your projects calico/node. Can you please review this and provide update on following:

Documentation that explains the mitigation strategy that we can apply to reduce the severity level Details on when is this going to be fixed with the expected version number

CVEs reported:

CVE-2021-25741: A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume; including on the host filesystem. CVE-2021-25735: A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields. CVE-2020-8562: As mitigations to a report from 2019 and CVE-2020-8555; Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services; Pods; Nodes; or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses; a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

Calico version in use: v3.23.3

[caseydavenport]

I don't believe Calico is affected by any of these CVEs.

CC @gpang-tigera to confirm.

[song-jiang]

ping @gpang-tigera

[gpang-tigera]

Calico is not affected by any of these CVEs.

[lmm]

Closing this since another open issue to address one of the CVEs above.