Scanner-specific CVE detection: PRISMA-2023-0056

[richgerrard]

When Prisma Cloud (formerly twistlock) scans repos for fixes, they will assign internal identifiers. In this case, they have scanned the release notes for logrus 1.9.3 and feel it has a necessary security patch.

ingress-nginx images get flagged, as they contain version 1.9.0 of this lib. https://github.com/kubernetes/ingress-nginx/blob/aac5d228ae6a7fc781837146cc1a564ebfe4f1c3/go.mod#L98

Prisma Cloud Compute 31.01.123

PRISMA-2023-0056

registry.k8s.io/ingress-nginx/controller:v1.9.5 sha256:311f90a3747fd333f687bc8ea3a1bdaa7f19aec377adedcefa818d241ee514f1

It has been listed here as a long-standing "old" package, https://github.com/kubernetes/ingress-nginx/issues/8910

Here's the scanner's summary of the vulnerability: Impacted versions: <v1.9.3 Published: more than 9 months ago The github.com/sirupsen/logrus module of all versions is vulnerable to denial of service. Logging more than 64kb of data in a single entry without newlines causes the log writer function to hang indefinitely.

[longwuyuan]

/remove-kind bug

Can you doublecheck and confirm. Something is not right with your sha+tag. This is the correct sha+tag for controller v1.9.5 https://github.com/kubernetes/ingress-nginx/blob/e9e70c8c3d3b8ef7fa75e51fe6b05e435e54d789/charts/ingress-nginx/values.yaml#L30

% grype registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
 ✔ Vulnerability DB                [no update available]  
 ✔ Pulled image                    
 ✔ Loaded image                                                                                              registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
 ✔ Parsed image                                                                                                                                              sha256:311f90a3747fd333f687bc8ea3a1bdaa7f19aec377adedcefa818d241ee514f1
 ✔ Cataloged contents                                                                                                                                               04f2f07b772910bce1e0048e8fdd03da94cba3f9c17f5c6b8cbd7513feea6e1a
   ├── ✔ Packages                        [133 packages]  
   ├── ✔ File digests                    [1,045 files]  
   └── ✔ File metadata                   [1,045 locations]  
 ✔ Scanned for vulnerabilities     [21 vulnerability matches]  
   ├── by severity: 0 critical, 3 high, 12 medium, 0 low, 0 negligible (6 unknown)
   └── by status:   6 fixed, 15 not-fixed, 0 ignored 
[0012]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME           INSTALLED   FIXED-IN  TYPE    VULNERABILITY   SEVERITY 
busybox        1.36.1-r15            apk     CVE-2023-42366  Medium    
busybox        1.36.1-r15            apk     CVE-2023-42365  Medium    
busybox        1.36.1-r15            apk     CVE-2023-42364  Medium    
busybox        1.36.1-r15            apk     CVE-2023-42363  Medium    
busybox-binsh  1.36.1-r15            apk     CVE-2023-42366  Medium    
busybox-binsh  1.36.1-r15            apk     CVE-2023-42365  Medium    
busybox-binsh  1.36.1-r15            apk     CVE-2023-42364  Medium    
busybox-binsh  1.36.1-r15            apk     CVE-2023-42363  Medium    
libcrypto3     3.1.4-r2    3.1.4-r4  apk     CVE-2023-6237   Unknown   
libcrypto3     3.1.4-r2    3.1.4-r3  apk     CVE-2023-6129   Unknown   
libssl3        3.1.4-r2    3.1.4-r4  apk     CVE-2023-6237   Unknown   
libssl3        3.1.4-r2    3.1.4-r3  apk     CVE-2023-6129   Unknown   
nginx          1.21.6                binary  CVE-2023-44487  High      
nginx          1.21.6                binary  CVE-2022-41742  High      
nginx          1.21.6                binary  CVE-2022-41741  High      
openssl        3.1.4-r2    3.1.4-r4  apk     CVE-2023-6237   Unknown   
openssl        3.1.4-r2    3.1.4-r3  apk     CVE-2023-6129   Unknown   
ssl_client     1.36.1-r15            apk     CVE-2023-42366  Medium    
ssl_client     1.36.1-r15            apk     CVE-2023-42365  Medium    
ssl_client     1.36.1-r15            apk     CVE-2023-42364  Medium    
ssl_client     1.36.1-r15            apk     CVE-2023-42363  Medium

[longwuyuan]

Second aspect is, yes logrus version in project seems to be at v1.9.0 https://github.com/kubernetes/ingress-nginx/blob/e9e70c8c3d3b8ef7fa75e51fe6b05e435e54d789/go.mod#L98 , but grype is not reporting a vulneraility on logrus.

Snyk and grype are easier for us to deal with.

[richgerrard]

Understood. Prisma scans require paid support, not a free scanner, totally an internal identifier. Any plans to update the package, though?

[longwuyuan]

Is there a CVE you can link here ? Normally we have dependabot alerting for needed updates or clear reports with CVE numbers from tools like snyk & grype to take action on. Would you also want to consider submitting a PR. You will have to test on your laptop etc, in a clone of a fork.

[rikatz]

logrus seems to not have updates for a long while now.

Doing a go mod why on it I can see it is used by kube-webhook-certgen but not ingress:

go mod why github.com/sirupsen/logrus
go: downloading github.com/opencontainers/runc v1.1.11
# github.com/sirupsen/logrus
github.com/jet/kube-webhook-certgen/cmd
github.com/sirupsen/logrus

Maybe it is a low effort to remove, but I don't have much time if someone wants to take care of it :)

[longwuyuan]

/assign

[longwuyuan]

/kind bug /triage accepted /priority important-longterm

The idea proposed, it seems, is to remove logrus. The certgen image is built inhouse in this project. So someone proficient in go can ask questions, if they take up the task to remove logrus

[longwuyuan]

https://github.com/kubernetes/ingress-nginx/pull/10964

[rikatz]

fixed on #11023