Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736

Closed
GoVulnBot opened this issue Apr 24, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736

GoVulnBot opened this issue Apr 24, 2023 · 3 comments
Assignees
@zpavlinovic
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-6m9f-pj6w-w87g, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/rancher/rancher 2.7.3 >= 2.6.0, < 2.7.3

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/rancher/rancher
    versions:
      - introduced: 2.6.0
        fixed: 2.7.3
    packages:
      - package: github.com/rancher/rancher
summary: Rancher Webhook is misconfigured during upgrade process
description: "### Impact\n\nA failure in the update logic of Rancher's admission Webhook
    may lead to the misconfiguration of the Webhook. This component enforces validation
    rules and security checks before resources are admitted into the Kubernetes cluster.\n\nWhen
    the Webhook is operating in a degraded state, it no longer validates any resources,
    which may result in severe privilege escalations and data corruption.\n\nThe issue
    only affects users that upgrade from `2.6.x` or `2.7.x` to `2.7.2`. Users that
    did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.\n\nThe
    command below can be executed on the `local` cluster to determine whether the
    cluster is affected by this issue:\n\n```sh\n$ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io\n\nNAME                WEBHOOKS   AGE\nrancher.cattle.io   0
    \        19h\n```\n\nIf the resulting webhook quantity is `0`, the Rancher instance
    is affected.\n\n### Patches\n\nPatched versions include release `2.7.3` and later
    versions.\n\n### Workarounds\n\nIf you are affected and cannot update to a patched
    Rancher version, the recommended workaround is to manually reconfigure the Webhook
    with the script below. Please note that the script must be run from inside the
    `local` cluster or with a kubeconfig pointing to the `local` cluster which has
    admin permissions.\n\n```yaml\n#!/bin/bash\n\nset -euo pipefail\n\nfunction prereqs()
    {\n    if ! [ -x \"$(command -v kubectl)\" ]; then\n      echo \"error: kubectl
    is not installed.\" >&2\n      exit 1\n    fi\n\n    if [[ -z \"$(kubectl config
    view -o jsonpath='{.clusters[].cluster.server}')\" ]]; then\n        echo \"error:
    No kubernetes cluster found on kubeconfig.\" >&2\n        exit 1\n    fi\n}\n\nfunction
    restart_deployment(){\n    kubectl rollout restart deployment rancher-webhook
    -n cattle-system\n    kubectl rollout status deployment rancher-webhook -n cattle-system
    --timeout=30s\n}\n\nfunction workaround() {\n    echo \"Cluster: $(kubectl config
    view -o jsonpath='{.clusters[].cluster.server}')\"\n\n    if ! kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io > /dev/null 2>&1; then\n        echo \"webhook rancher.cattle.io
    not found, restarting deployment:\"\n        restart_deployment\n\n        echo
    \"waiting for webhook configuration\"\n        sleep 15s\n    fi\n\n    local
    -i webhooks\n    webhooks=\"$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io --no-headers | awk '{ print $2 }')\"\n\n    if [ \"${webhooks}\"
    == \"0\" ]; then\n        echo \"Webhook misconfiguration status: Cluster is affected
    by CVE-2023-22651\"\n        \n        echo \"Running workaround:\"\n        kubectl
    delete validatingwebhookconfiguration rancher.cattle.io\n        restart_deployment\n\n
    \       ret=$?\n        if [ $ret -eq 0 ]; then\n            echo \"Webhook restored,
    CVE-2023-22651 is fixed\"\n        else\n            echo \"error trying to restart
    deployment. try again in a few seconds.\"\n        fi\n    else\n        echo
    \"Webhook misconfiguration status: not present (skipping)\"\n    fi\n\n    echo
    \"Done\"\n}\n\nfunction main() {\n    prereqs\n    workaround\n}\n\nmain\n```\n\n###
    For more information\nIf you have any questions or comments about this advisory:\n\n-
    Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy)
    for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose)
    repository.\n- Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/)
    and [product support lifecycle](https://www.suse.com/lifecycle/)."
cves:
  - CVE-2023-22651
ghsas:
  - GHSA-6m9f-pj6w-w87g
references:
  - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g
  - web: https://github.com/rancher/rancher/releases/tag/v2.7.3
  - advisory: https://github.com/advisories/GHSA-6m9f-pj6w-w87g
@zpavlinovic zpavlinovic self-assigned this Apr 24, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Apr 25, 2023
@zpavlinovic
Copy link
Contributor

The fix is for a server code located in a different module and in a package that is not imported by anyone.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

@GoVulnBot GoVulnBot mentioned this issue May 4, 2023
Closed
This was referenced Jun 1, 2023
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 11, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 25, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Aug 2, 2023
Closed
This was referenced Feb 8, 2024
Closed
Closed
This was referenced Apr 24, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

This was referenced Jun 17, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 26, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 25, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zpavlinovic zpavlinovic

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot