Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sriov-network-device-plugin v3.3.2 container image security vulnerabilities #407

Open
supreeth90 opened this issue Feb 17, 2022 · 6 comments
Open

sriov-network-device-plugin v3.3.2 container image security vulnerabilities #407

supreeth90 opened this issue Feb 17, 2022 · 6 comments

Comments

@supreeth90
Copy link

supreeth90 commented Feb 17, 2022
edited

What happened?

HIGH and CRITICAL vulnerabilities found in ssriov-network-device-plugin v3.3.2 container image(ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2)

REPORT:

$ trivy i --no-progress -s HIGH,CRITICAL  --vuln-type os  --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
2022-02-17T00:02:01.194Z	INFO	Detected OS: alpine
2022-02-17T00:02:01.195Z	INFO	Detecting Alpine vulnerabilities...

ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2 (alpine 3.12.7)
**Total: 23 (HIGH: 20, CRITICAL: 3)**

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.10.6-r0         | 2.10.7-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-42378   | HIGH     | 1.31.1-r20        | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | CRITICAL | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+----------+                   +               +---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL |                   |               | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-42378   |          | 1.31.1-r20        | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

What did you expect to happen?

0 HIGH and CRITICAL security vulnerabilities

What are the minimal steps needed to reproduce the bug?

By running trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2

Component Versions

Please fill in the below table with the version numbers of components used.

Component Version
SR-IOV Network Device Plugin 3.3.2
SR-IOV CNI Plugin
Multus
Kubernetes 1.20.15
OS

Config Files

Config file locations may be config dependent.

Device pool config file location (Try '/etc/pcidp/config.json')
Multus config (Try '/etc/cni/multus/net.d')
CNI config (Try '/etc/cni/net.d/')
Kubernetes deployment type ( Bare Metal, Kubeadm etc.)
Kubeconfig file
SR-IOV Network Custom Resource Definition

Logs

SR-IOV Network Device Plugin Logs (use kubectl logs $PODNAME)
Multus logs (If enabled. Try '/var/log/multus.log' )
Kubelet logs (journalctl -u kubelet)
@rollandf
Copy link
Contributor

rollandf commented Mar 7, 2022

I will take a look

@zshi-redhat
Copy link
Collaborator

/cc @bn222

@bn222
Copy link
Contributor

bn222 commented Mar 8, 2022

While you're right that v3.3.2 has the vulnerabilities:

trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2

If you check the latest version, it does not have any:

trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin

@zshi-redhat
Copy link
Collaborator

Cosing the issue since it doesn't exist in master.

@supreeth90 thanks for reporting the issues!
v3.3.2 is a tag, we don't maitain branch for it.
It is recommended to upgrade to latest version.
I'm closing it now, feel free to re-open if you think otherwise.

@adrianchiris
Copy link
Contributor

@bn222 we are pinning alpine version to 3.12 in Dockerfile, ran trivy on my local setup and it still hit those issues.

will submit PR to update Dockerfiles.

@adrianchiris adrianchiris mentioned this issue Mar 20, 2022
Merged
@adrianchiris adrianchiris reopened this Mar 20, 2022
@SchSeba
Copy link
Collaborator

SchSeba commented Aug 11, 2022

@adrianchiris @rollandf can we try to switch the image to centos or something else?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@supreeth90 @SchSeba @zshi-redhat @rollandf @adrianchiris @bn222