Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.14] Fix 12/8/2023 CVEs #8977

Merged
merged 3 commits into from
Dec 14, 2023
Merged

[1.14] Fix 12/8/2023 CVEs #8977

merged 3 commits into from
Dec 14, 2023

Conversation

inFocus7
Copy link
Contributor

Description

Fixing new CVEs caught

API changes

CI changes

Context

While working on the 1.14 CVEs, I caught a new one regarding the libssl library in alpine 3.17.3, which needed updating.

Testing steps

VERSION=<version> make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:<version>"; done

Before

quay.io/solo-io/gloo:v1.14.x-oss-prefix (alpine 3.17.5)
=======================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/gloo-envoy-wrapper:v1.14.x-oss-prefix (alpine 3.17.5)
=====================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/discovery:v1.14.x-oss-prefix (alpine 3.17.3)
============================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

quay.io/solo-io/ingress:v1.14.x-oss-prefix (alpine 3.17.3)
==========================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

quay.io/solo-io/sds:v1.14.x-oss-prefix (alpine 3.17.3)
======================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

quay.io/solo-io/certgen:v1.14.x-oss-prefix (alpine 3.17.3)
==========================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

quay.io/solo-io/access-logger:v1.14.x-oss-prefix (alpine 3.17.3)
================================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

quay.io/solo-io/kubectl:v1.14.x-oss-prefix (alpine 3.17.3)
==========================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ 3.0.10-r0         │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │                   │               │                                                        │
│ libssl3    │               │          │                   │               │                                                        │
│            │               │          │                   │               │                                                        │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

usr/local/bin/kubectl (gobinary)
================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬───────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version  │ Fixed Version │                   Title                   │
├────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────┤
│ github.com/docker/distribution │ CVE-2023-2253 │ HIGH     │ v2.8.1+incompatible │ 2.8.2-beta.1  │ DoS from malicious API request            │
│                                │               │          │                     │               │ https://avd.aquasec.com/nvd/cve-2023-2253 │
└────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴───────────────────────────────────────────┘

After

quay.io/solo-io/gloo:v1.14.x-oss-postfix (alpine 3.17.5)
========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/gloo-envoy-wrapper:v1.14.x-oss-postfix (alpine 3.17.5)
======================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/discovery:v1.14.x-oss-postfix (alpine 3.17.6)
=============================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/ingress:v1.14.x-oss-postfix (alpine 3.17.6)
===========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/sds:v1.14.x-oss-postfix (alpine 3.17.6)
=======================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/certgen:v1.14.x-oss-postfix (alpine 3.17.6)
===========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/access-logger:v1.14.x-oss-postfix (alpine 3.17.6)
=================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


quay.io/solo-io/kubectl:v1.14.x-oss-postfix (alpine 3.17.6)
===========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/kubectl (gobinary)
================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬───────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │  Installed Version  │ Fixed Version │                   Title                   │
├────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────┤
│ github.com/docker/distribution │ CVE-2023-2253 │ HIGH     │ v2.8.1+incompatible │ 2.8.2-beta.1  │ DoS from malicious API request            │
│                                │               │          │                     │               │ https://avd.aquasec.com/nvd/cve-2023-2253 │
└────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴───────────────────────────────────────────┘

Notes for reviewers

  • There was a CVE caught in the bitnami/kubectl image, although there aren't any newer releases there which we can upgrade to.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@inFocus7 inFocus7 added work in progress signals bulldozer to keep pr open (don't auto-merge) keep pr updated signals bulldozer to keep pr up to date with base branch labels Dec 13, 2023
@inFocus7 inFocus7 requested a review from a team as a code owner December 13, 2023 15:33
@inFocus7 inFocus7 removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label Dec 14, 2023
@soloio-bulldozer soloio-bulldozer bot merged commit e9b253d into v1.14.x Dec 14, 2023
14 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the fix-cves-due-to-alpine-3.17.3 branch December 14, 2023 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenshu jenshu jenshu approved these changes

@nfuden nfuden nfuden approved these changes

Assignees
No one assigned
Labels
keep pr updated signals bulldozer to keep pr up to date with base branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@inFocus7 @jenshu @nfuden