deployments-k8s icon indicating copy to clipboard operation
deployments-k8s copied to clipboard

Published 20 hours ago verified publisher icon networkservicemesh

CVEs in NSM dependencies

Open denis-tingaikin opened this issue 2 years ago • 1 comments

From Giang Tran

CVE-2022-28946: An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access. CVE-2022-33082: An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input. In NSC: CVE-2022-27191: The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

We should check these CVEs in NSM deps.

denis-tingaikin avatar Sep 23 '22 16:09 denis-tingaikin

Checked the repositories for this vulnerabilities - the dependencies are either newer or we don't have them.

ThetaDR avatar Sep 26 '22 09:09 ThetaDR

Two new CVEs from customers:

  1. https://github.com/kubernetes/kubernetes/issues/112513
  2. https://nvd.nist.gov/vuln/detail/CVE-2022-32149

denis-tingaikin avatar Dec 06 '22 23:12 denis-tingaikin

Fixed by https://github.com/networkservicemesh/sdk-k8s/pull/405

denis-tingaikin avatar Dec 07 '22 09:12 denis-tingaikin