core20 icon indicating copy to clipboard operation
core20 copied to clipboard
verified publisher icon snapcore

OpenSSL Vulnerabilities Detected in MicroK8s Core20 Snaps

Open Imalka17 opened this issue 1 year ago • 5 comments

Hello,

During a recent security scan, we identified multiple vulnerabilities related to OpenSSL in the MicroK8s Core20 snaps. These vulnerabilities are still present and have not been addressed in the latest release. Given the critical nature of OpenSSL in ensuring secure communications and overall system integrity, it is crucial to address these issues promptly.

Details:

- Vulnerabilities Identified: [ CVE-2016-2183, CVE-2020-1967, CVE-2021-23840, CVE-2021-3450, CVE-2021-3711, CVE-2021-3712, CVE-2022-0778, CVE-2022-1292, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-4807 ]

- Current Version Affected: [ MicroK8s 1.28 and Microk8s Core20 --edge snaps]

- Scanning Tool Used: [ Kenna ]

These 6 vulnerabilities have above CVSS score of 7 and mentioned the path of the environment that vulnerabilities have

CVE-2022-1292 - Path : /snap/core20/2361/usr/bin/openssl CVE-2023-0464 - Path : /snap/core20/2361/usr/bin/openssl CVE-2022-4450 - Path : /snap/core20/2361/usr/bin/openssl CVE-2023-0215 - Path : /snap/core20/2361/usr/bin/openssl CVE-2020-1967 - Path : /snap/core20/2361/usr/bin/openssl CVE-2022-0778 - Path : /snap/core20/2361/usr/bin/openssl

And also tried to remove the mentioned files from the environment but that file can't be removed as it is used by microk8s.

These vulnerabilities can potentially be exploited, leading to unauthorized access, data breaches, and other security risks. It is important to maintain the security and trustworthiness of the MicroK8s environment.

Could you please provide information on the planned or ongoing solutions to address these OpenSSL vulnerabilities? If there are any workarounds or immediate steps that can be taken to mitigate these issues, please share them with the community.

Best regards, Imalka

Imalka17 avatar Jul 20 '24 10:07 Imalka17

Given the prevalence of core20, this is a serious issue. The contained version of OpenSSL does have a version that has been patched to address several recent vulnerabilities, but that version is a premium support version only. Given this vulnerability, a patch needs to be developed for the snap, the version of Open SSL needs to be changed, or the core20 snap needs to be deprecated.

cbudish-wbmi avatar Aug 21 '24 16:08 cbudish-wbmi

core20 is built from ubuntu packages

$ zcat /snap/core20/current/usr/share/doc/openssl/changelog.Debian.gz  | grep -e 2022-1292 -e 2023-0464 -e 2022-4450
    - debian/patches/CVE-2023-0464-1.patch: limit the number of nodes created
    - debian/patches/CVE-2023-0464-2.patch: add test cases for the policy
    - debian/patches/CVE-2023-0464-3.patch: disable the policy tree
    - CVE-2023-0464
    - debian/patches/CVE-2022-4450-1.patch: avoid dangling ptrs in header
    - debian/patches/CVE-2022-4450-2.patch: add a test in test/pemtest.c.
    - CVE-2022-4450
    - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
    - CVE-2022-1292

Does your scanner recognise that this snap is built from Ubuntu .deb; uses Ubuntu Security feeds; and recognises that package version in question is openssl (1.1.1f-1ubuntu2.22) focal-security; urgency=medium and thus has all the fixes as mentioned at https://launchpad.net/ubuntu/focal/+source/openssl/+changelog

If you create a docker image from ubuntu focal and isntall openssl 1.1.1f-1ubuntu2.22 and run your scanner does it also flag above the above mentioned CVEs?

xnox avatar Aug 21 '24 16:08 xnox

@vorlonofportland please redirect this to snapd/security/scanners team

xnox avatar Aug 21 '24 16:08 xnox

@vorlonofportland please redirect this to snapd/security/scanners team

I'm unclear what you are asking to have redirected. This is a report from a third-party scanner giving inaccurate results for the core20 snap.

vorlonofportland avatar Sep 09 '24 16:09 vorlonofportland

@vorlonofportland please redirect this to snapd/security/scanners team

I'm unclear what you are asking to have redirected. This is a report from a third-party scanner giving inaccurate results for the core20 snap.

If i'm not mistaken, there is a team of engineers and PMs working on integrating and improving scanner support for Ubuntu, as debs, snaps, chisseled. As it should work, and most of these scanners have open source core engines for which most distros contribute fixes to make them work. So the ask was to forward this to the correct current PM in charge of scanner support.

xnox avatar Sep 10 '24 16:09 xnox