ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Cover CVE‑2021‑3618

Open dustin-bo opened this issue 2 years ago • 11 comments

We need a version without the vulnerability CVE‑2021‑3618. The vulnerability seems to be fixed in Nginx starting with release 1.21.0. Since none of the Ingress-Nginx versions use those releases all versions seem to be vulnerable.

dustin-bo avatar Apr 19 '22 11:04 dustin-bo

The project built a beta with some fixes. Certain reported CVEs got fixed but this CVE is not visible in a grype scan ;

% grype k8s.gcr.io/ingress-nginx/controller-chroot:v1.2.0-beta.0@sha256:5344d8367295be743703f19eea137e7a3253efc2d0ec8aee131b85d3258f9780 ✔ Vulnerability DB [no update available] ✔ Parsed image
✔ Cataloged packages [127 packages] ✔ Scanned image [3 vulnerabilities] [0018] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY flock 2.37.4-r0 apk CVE-2010-3262 Medium
google.golang.org/protobuf v1.28.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.28.0 go-module CVE-2015-5237 High

longwuyuan avatar Apr 19 '22 13:04 longwuyuan

I think there is a open issue that states at least need of protection from at least one similar sounding threat. They had mentioned certs with multiple domains or similar use-cases. In any case this threat says ;

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

Have not seen if the patch is back ported to nginx v1.19.10 and that is related because our base images uses it.

We can address is when enough info is available against a future release.

longwuyuan avatar Apr 21 '22 03:04 longwuyuan

Apparently openresty is working in a v1.21 nginx compatible release. As soon as this is released, we can start thinking on having nginx v1.21 as Ingress base.

@tao12345666333 thoughts?

rikatz avatar Apr 22 '22 02:04 rikatz

Apparently openresty is working in a v1.21 nginx compatible release. As soon as this is released, we can start thinking on having nginx v1.21 as Ingress base.

Yes, I'm asking about the release cycle for the next version of OpenResty

tao12345666333 avatar Apr 22 '22 03:04 tao12345666333

Are there any plans to implement a fix for this CVE in the forseeable future?

svenbuerger avatar Jun 08 '22 07:06 svenbuerger

@svenbuerger we are just discussing this, but want some help, if someone can send a PR :)

rikatz avatar Jun 09 '22 15:06 rikatz

/priority critical-urgent /triage accepted

strongjz avatar Jun 09 '22 15:06 strongjz

I do not see this in recent trivy scans for 1.3.0, 1.2.1 or 1.2.0

@dustin-bo what scanner did you use to get his result?

strongjz avatar Aug 09 '22 17:08 strongjz

Any update on this please? Thanks! BTW, looks like the latest Openresty has upgraded Nginx core to 1.21 https://openresty.org/en/ann-1021004001.html

chaosun-abnormalsecurity avatar Sep 06 '22 20:09 chaosun-abnormalsecurity

It looks like there is an openrusty version,1.21.4.1, that supports 1.21

Based on a very recent mainline NGINX core 1.21.4

https://openresty.org/en/ann-1021004001.html

Is that what we need to use to update? @tao12345666333 @rikatz

strongjz avatar Sep 06 '22 22:09 strongjz

yes! I'm working on this

tao12345666333 avatar Sep 06 '22 23:09 tao12345666333

@tao12345666333 can we discuss this for tomorrow's community meeting?

strongjz avatar Sep 28 '22 14:09 strongjz

yes!

tao12345666333 avatar Sep 28 '22 14:09 tao12345666333

is there some branch we could try or any alpha version of an updated nginx ?

grosser avatar Oct 11 '22 23:10 grosser

Not yet but its being worked on. Wait for updates from @tao12345666333

longwuyuan avatar Oct 12 '22 01:10 longwuyuan

I think I can handle it this week

tao12345666333 avatar Oct 12 '22 05:10 tao12345666333

Was this included as part of the latest v1.5.1 release? Thanks

nikhilthakre avatar Nov 14 '22 11:11 nikhilthakre

Please check nginx version in controller image. Do you use ingress for IMAP/pop/SMTP ports ?

On Mon, 14 Nov, 2022, 5:21 pm Nikhil Thakare, @.***> wrote:

Was this included as part of the latest v1.5.1 release?

— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/8487#issuecomment-1313560632, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWSXQ4YBXCWEHIWXLZDWIIRTZANCNFSM5TYTEY5A . You are receiving this because you commented.Message ID: @.***>

longwuyuan avatar Nov 14 '22 12:11 longwuyuan

I dont see this come up in the Vulnerability scan for 1.5.2

https://github.com/kubernetes/ingress-nginx/actions/runs/3803822443/attempts/1#summary-10357554200

/close

strongjz avatar Dec 30 '22 00:12 strongjz

@strongjz: Closing this issue.

In response to this:

I dont see this come up in the Vulnerability scan for 1.5.2

https://github.com/kubernetes/ingress-nginx/actions/runs/3803822443/attempts/1#summary-10357554200

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Dec 30 '22 00:12 k8s-ci-robot