node-problem-detector
node-problem-detector copied to clipboard
kubernetes
CVE found with v0.8.19
Vulnerability scan shown a CVE for NPD:v0.8.19
NVD
CVE-2023-4911
Published: 2023-10-03 - Modified: 2024-02-22
CVSS v3: 7.8
Description
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
This issue is to log this and ask when this would be fixed
Few more new CVE's
trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.19
Total: 8 (LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2024-28834 │ MEDIUM │ fixed │ 3.7.9-2+deb12u2 │ 3.7.9-2+deb12u3 │ gnutls: vulnerable to Minerva side-channel information leak │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28834 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-28835 │ │ │ │ │ gnutls: potential crash during chain building/verification │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-28835 │
├────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libsystemd-dev │ CVE-2023-50387 │ HIGH │ │ 252.22-1~deb12u1 │ 252.23-1~deb12u1 │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50387 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50868 │ │ │ │ │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│ │ │ │ │ │ │ CPU resources │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50868 │
├────────────────┼────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2023-50387 │ │ │ │ │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50387 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50868 │ │ │ │ │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│ │ │ │ │ │ │ CPU resources │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50868 │
├────────────────┼────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ libudev1 │ CVE-2023-50387 │ │ │ │ │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50387 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-50868 │ │ │ │ │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│ │ │ │ │ │ │ CPU resources │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50868 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘
Our scans show additional CVEs to the ones reported above. Please find the complete list(including some of the ones mentioned earlier) of CVEs reported against this image.
wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?
wondering someone would like to submit CL to update golang, go mod etc. to resolve those CVEs?
This is covered by weekly deps update. It is usually auto generated on Fridays.
And also https://github.com/kubernetes/node-problem-detector/blob/master/Dockerfile#L23?
Looks like the dep-bot does not update golang version: https://github.com/kubernetes/node-problem-detector/pull/935
Can we please get an update on when to expect a new release with these CVEs fixed?
Bump! It would be great to get a 0.8.20 release to address these CVEs in a tagged release
Looks like golang version update in go.mod is not covered still. @jingxu97 are you able to take a look?
We are still awaiting a 0.8.20 release for this. How do we go about expediting a new release? I see that the last 5 were within 3-4 months (i.e. less than 1 month per release), but it's now been over 4 months since 0.8.19, and we're getting flagged for CVEs until a new release is declared.
We updated golang last week. @PelagicGames Can you help verify if all the CVEs are fixed at head commit? I can cut a new release this week after confirmation.
@wangzhen127 , I've just run a trivy scan and that's not showing any CVEs against head
Thanks for the verification! We are investigating the presubmit issue https://github.com/kubernetes/node-problem-detector/issues/970. Will make a release after the fix.
@wangzhen127: Closing this issue.
In response to this:
v0.8.20 has been released.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
