ingress-nginx
ingress-nginx copied to clipboard
kubernetes
Multiple CVE detected in latest "helm-chart-4.1.0 | ingress-nginx/controller:v1.2.0" release
Issue Details Multiple CVE detected in latest "helm-chart-4.1.0" release
Image k8s.gcr.io/ingress-nginx/controller@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f918
ID sha256:04fcc70194086eb9118c8a015dc455c0f7f0249b10346f8b03f97d86ae99fb0c
OS distribution Alpine Linux v3.14
OS release3.14.6
Digest sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
Severity : critical Package : go Description : go version 1.17.6 has 5 vulnerabilities
CVE-2022-23806 Fixed in: 1.17.7, 1.16.14
CVE-2022-24675 Fixed in: 1.17.9, 1.8.1
CVE-2022-24921 Fixed in: 1.17.8, 1.16.15
CVE-2022-23772 Fixed in: 1.17.7, 1.16.14
CVE-2022-23773 Fixed in: 1.17.7, 1.16.14
Severity : high Package : ncurses Description : ncurses (used in ncurses-libs, ncurses-terminfo-base) version 6.2_p20210612-r0 has 1 vulnerability
CVE-2022-29458 Fixed in: 6.3_p20211120-r0
Severity : low Package : curl Description : curl (used in libcurl, curl) version 7.79.1-r0 has 4 vulnerabilities
CVE-2022-27774 Fixed in: 7.79.1-r1
CVE-2022-27775 Fixed in: 7.79.1-r1
CVE-2022-27776 Fixed in: 7.79.1-r1
CVE-2022-22576 Fixed in: 7.79.1-r1
Can someone help me out so we can get a new release , seems a few packages need bumping, help appreciated.
Grype confirms it. Please wait till maintainers schedule the update ;
✔ Vulnerability DB [updated]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [120 packages]
✔ Scanned image [14 vulnerabilities]
[0023] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27774 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27775 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-22576 Unknown
curl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27776 Unknown
google.golang.org/protobuf v1.28.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.28.0 go-module CVE-2015-5237 High
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-22576 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27774 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27775 Unknown
libcurl 7.79.1-r0 7.79.1-r1 apk CVE-2022-27776 Unknown
/triage-accepted /priority important-soon
We are going to make a new release to fix some bugs, and this will enter in this new release.
@rikatz could you confirm if the latest release 1.3.0 / 4.2.0 contain these fixes? I couldn't find any CVE reference in the release notes.
@rikatz @tomasAlabes The new 4.2.0 | v1.3.0 definitly looks better, but there is a new CVE-2022-30065 in there.
In short : busybox (used in ssl_client, busybox) version 1.35.0-r14 has 1 vulnerability, bumping to busybox 1.35.0-r15 should fix the problem.
Who should we notify for a new build ? Would be nice to see a perfect vulnerabilities score in prisma cloud for this image
@tao12345666333
I found this https://github.com/alpinelinux/docker-alpine/issues/264#issuecomment-1189498803 which says the CVE-2022-30065 is still present in the 3.16.1 image
also as per this https://github.com/alpinelinux/docker-alpine/issues/264#issuecomment-1189499568
alpine 3.16.1 is supposed to fix https://github.com/advisories/GHSA-gq73-rh3m-3php according to the release notes : https://www.alpinelinux.org/posts/Alpine-3.16.1-released.html
but still may be present . I am unsure about 3.16.1 having a fix
% grype `k -n ingress-nginx get po ingress-nginx-controller-6bf7bc7f94-8f5s8 -o yaml | grep -i registry | grep -v imageID | awk '{print $2}'`
✔ Vulnerability DB [updated]
✔ Parsed image
✔ Cataloged packages [120 packages]
✔ Scanned image [5 vulnerabilities]
[0031] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
busybox 1.35.0-r14 1.35.0-r15 apk CVE-2022-30065 High
google.golang.org/protobuf v1.28.0 go-module CVE-2015-5237 High
google.golang.org/protobuf v1.28.0 go-module CVE-2021-22570 High
ssl_client 1.35.0-r14 1.35.0-r15 apk CVE-2022-30065 High
% docker run -it alpine:3.16.1 sh
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.16.1
PRETTY_NAME="Alpine Linux v3.16"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ # apk list | grep -i busybox
busybox-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]
ssl_client-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]
/
I also found that NEW version 1.3.0 is impacted by vulnerability of busybox with CVE-2022-30065
We have updated to alpine v3.16.1 with patches for busybox & ssl_client. It will be released later.
We have updated to alpine v3.16.1 with patches for busybox & ssl_client. It will be released later.
Sorry to ask like cause u guys are probably busy with other stuff, but Is this not an version bump release hotfix ?
As it concerns a security issue would it not be the best path for a fast release with a fix. (patch/hotfix release , not sure what the correct terminology is here) as for new features I understand because of the code freeze, there is a point for it, but as a security fix we should try to get it out as soon as its available.
Just trying to better understand the working method here. Thnx in advance
@DataMinded true, security based fixes should be sooner than later.
In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.
The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.
@DataMinded true, security based fixes should be sooner than later.
In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.
The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.
@longwuyuan Thnx allot for the explanation. Indeed I do not know the full context to make that distinction, but that sounds like a good reasoning.
@DataMinded true, security based fixes should be sooner than later.
In this case, busybox itself is not directly in play while using ingress objects and also ssl_client is used internally to the controller. So this is acceptable risk in the context of the timelines feasible/possible for releasing binaries with patched bits for those 2 CVEs.
The situation now is that the already complicated/manual release process gets even more complicated (with cherrypicking needed for tons of stuff etc). not to mention lack of developer time.
Thanks! I understand your pain in cherrypicking stuff. Hope to see fixes soon.
P.S. From time to time we experience pain (especially in Aliyun Cloud) when Security Center blindly creates Critical Security Incident based on the findings and we have to patch everything ASAP (or at least describe, why busybox won't affect us and provide at least some virtual ETA to fix).
Yeah, my guess is that the ssl_client vulnerability is causing the busybox CVE as well but not absolutely sure. Because busybox itself is a bunch of stuff. openssl is patches and this CVE points at the ssl_client. So my guess is that the ssl_client binaries do not initiate any connection to out-of-cluster destinations. Unless someone tries to connect to something on internet from inside the controller (like a download instruction etc)
Understood the cloud problem. We aim to release as soon as feasible.
Yes, it will appear in app version upgrade. This one is just chart version upgrade.
Just as a note, Release 4.2.2 & 4.2.3 still do NOT contain a fix for this CVE
if everything looks good, there will be a discussion on making the release this week or next week.
Will start release process.
Thanks, ; Long
On Fri, 2 Sep, 2022, 8:19 AM Liang Wang, @.***> wrote:
Any updated?
— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/8520#issuecomment-1235010157, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWV3BNBKDKCN7GSY5TDV4FTMZANCNFSM5UUI63BQ . You are receiving this because you were mentioned.Message ID: @.***>
The controller-v1.3.1 does not contain any CVE's according to Prisma Cloud , Yay Now we wait for a chart release
Guess we can close this issue now,
controller-v1.3.1 / helm-chart-4.2.5 resolves the CVE's addressed in OP
Thanks for all the help & comments