sriov-network-device-plugin
sriov-network-device-plugin copied to clipboard
Published
20 hours ago •
k8snetworkplumbingwg
k8snetworkplumbingwg
sriov-network-device-plugin v3.3.2 container image security vulnerabilities
What happened?
HIGH and CRITICAL vulnerabilities found in ssriov-network-device-plugin v3.3.2 container image(ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2)
REPORT:
$ trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
2022-02-17T00:02:01.194Z INFO Detected OS: alpine
2022-02-17T00:02:01.195Z INFO Detecting Alpine vulnerabilities...
ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2 (alpine 3.12.7)
**Total: 23 (HIGH: 20, CRITICAL: 3)**
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools | CVE-2021-36159 | CRITICAL | 2.10.6-r0 | 2.10.7-r0 | libfetch before 2021-07-26, as |
| | | | | | used in apk-tools, xbps, and |
| | | | | | other products, mishandles... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox | CVE-2021-42378 | HIGH | 1.31.1-r20 | 1.31.1-r21 | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42379 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42380 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42381 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42382 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42383 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42384 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42385 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42386 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711 | CRITICAL | 1.1.1k-r0 | 1.1.1l-r0 | openssl: SM2 Decryption |
| | | | | | Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2021-3712 | HIGH | | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+ + +---------------------------------------+
| libssl1.1 | CVE-2021-3711 | CRITICAL | | | openssl: SM2 Decryption |
| | | | | | Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2021-3712 | HIGH | | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| ssl_client | CVE-2021-42378 | | 1.31.1-r20 | 1.31.1-r21 | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42379 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42380 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42381 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42382 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42383 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42384 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42385 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-42386 | | | | busybox: use-after-free in |
| | | | | | awk applet leads to denial |
| | | | | | of service and possibly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
What did you expect to happen?
0 HIGH and CRITICAL security vulnerabilities
What are the minimal steps needed to reproduce the bug?
By running trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
Component Versions
Please fill in the below table with the version numbers of components used.
| Component | Version |
|---|---|
| SR-IOV Network Device Plugin | 3.3.2 |
| SR-IOV CNI Plugin | <Input Version Here> |
| Multus | <Input Version Here> |
| Kubernetes | 1.20.15 |
| OS | <Input Version Here> |
Config Files
Config file locations may be config dependent.
Device pool config file location (Try '/etc/pcidp/config.json')
Multus config (Try '/etc/cni/multus/net.d')
CNI config (Try '/etc/cni/net.d/')
Kubernetes deployment type ( Bare Metal, Kubeadm etc.)
Kubeconfig file
SR-IOV Network Custom Resource Definition
Logs
SR-IOV Network Device Plugin Logs (use kubectl logs $PODNAME)
Multus logs (If enabled. Try '/var/log/multus.log' )
Kubelet logs (journalctl -u kubelet)
While you're right that v3.3.2 has the vulnerabilities:
trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
If you check the latest version, it does not have any:
trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin
Cosing the issue since it doesn't exist in master.
@supreeth90 thanks for reporting the issues! v3.3.2 is a tag, we don't maitain branch for it. It is recommended to upgrade to latest version. I'm closing it now, feel free to re-open if you think otherwise.
@bn222 we are pinning alpine version to 3.12 in Dockerfile, ran trivy on my local setup and it still hit those issues.
will submit PR to update Dockerfiles.
@adrianchiris @rollandf can we try to switch the image to centos or something else?
