-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-45142 (opentelemetry-go-contrib) #5602
Comments
After more investigation, it turns out that the issue does not affect the apiserver library, even when This is because the apiserver does not actually use otel to track metrics. No The conclusion for Antrea is the same: the issue does not affect us, even though scanners will keep reporting a vulnerability. We also don't need to worry when bumping up K8s dependencies. |
…and CVE-2023-45142 Refer to issue antrea-io#5602, these CVEs don't affect Antrea, including prior versions of Antrea. This patch only removes warning from CVE scanners. Signed-off-by: Bin Liu <biliu@vmware.com>
For CVE-2023-47108 and CVE-2023-45142. These CVEs don't affect Antrea, including prior versions of Antrea. This patch is only meant to avoid warnings from CVE scanners. See also #5602 Signed-off-by: Bin Liu <biliu@vmware.com>
This issue is informational only, and does not require any action from the Antrea Community. Antrea is not affected by CVE-2023-45142.
This CVE was published on 10/12/2023: https://nvd.nist.gov/vuln/detail/CVE-2023-45142
CVE scanners are reporting this vulnerability in all supported Antrea versions, including Antrea v1.13. The vulnerability is detected in Antrea Go binaries.
What is the vulnerability?
The vulnerability affects programs that use
otelhttp.NewHandler
without filtering requests. An attacker can craft malicious HTTP requests with unknown HTTP methods or User agents, leading to a potential memory exhaustion. The vulnerability exists in all versions ofgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
prior to v0.44.0 and no patch has been backported at the time of writing this (10/18/2023). Antrea currently uses v0.35.0.Does it actually affect Antrea?
Antrea uses the K8s apiserver library to implement its own API server (for both the Controller and the Agent). At the moment Antrea uses version v0.26.4 of the library:
antrea/go.mod
Line 72 in 016f6b5
The apiserver library uses the
otelhttp.NewHandler
as is:https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/endpoints/filters/traces.go#L37
However, this code is gated by the
APIServerTracing
FeatureGate: https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/server/config.go#L895-L897Note that this is an apiserver FeatureGate. It is not an Antrea FeatureGate and it is not possible to enable / disable this FeatureGate by mutating the configuration for the Antrea Agent or Controller.
In K8s v1.26, the
APIServerTracing
FeatureGate is Alpha, and disabled by default. This means that when we import version v0.26.4 of the apiserver module, the FeatureGate is automatically disabled, and it is not possible for users to enable it:https://github.com/kubernetes/apiserver/blob/d3e415393e7e3642d9e6bb2a445385fd5e0e10bd/pkg/features/kube_features.go#L79
As a result, no Antrea version (including Antrea v1.11, v1.12, v1.13 and the upcoming Antrea v1.14) is affected by this CVE.
Caution required from Antrea maintainers in the future
Some caution will be required when bumping up K8s dependencies in Antrea. The
APIServerTracing
FeatureGate was promoted to Beta (and enabled by default) in K8s v1.27. Once the FeatureGate is enabled, the issue exists even when no tracing config is provided (OpenTelemetry runs in passthrough mode, and still collects problematic metrics). That means that when we bump up our K8s dependencies in the future, we should try ensuring that a more recent version ofgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
is also used. OpenTelemetry dependencies were recently updated for K8s top-of-tree (see kubernetes/kubernetes#121111), but the current version ofgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
(v0.42.0) still suffers from the vulnerability.The text was updated successfully, but these errors were encountered: