Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] - autoclosed #119

Closed
wants to merge 1 commit into from
Closed

Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] - autoclosed #119

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 9, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/crossplane/crossplane v1.10.0 -> v1.11.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-27484

Summary

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane.

Details

Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice's size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value.

Workaround

Users can restrict write privileges on Compositions to only admin users as a workaround.

CVE-2023-38495

Impact

Crossplanes image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-11 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-11 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

CVE-2023-37900

Impact

An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled.

The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-16 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-16 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane)

v1.11.5

Compare Source

v1.11.5 addresses a few security issues shared during the security audit by Ada Logic and facilitated by OSTIF, sponsored by CNCF. See the report for more details.

Notable changes

  • Fix composition functions to be able to run with unconfined AppArmor profile.
  • Security fixes, see the report for more details.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.4...v1.11.5

v1.11.4

Compare Source

v1.11.4 addresses a few minor bugs and bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

  • Clarified the ControllerConfig deprecation message, highlighting that it's not going to be removed until a better option is available and a clear migration path has been well documented and publicly shared. Reduced also the number of times the message is shown to reduce noise.
  • Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.3...v1.11.4

v1.11.3

Compare Source

v1.11.3 is a scoped patch release that focuses on an issue that was preventing the alpha feature of Composition Functions from successfully running in certain environments that have a version of crun of 1.8+ (issue #​3807). This release should unblock the general testing and feedback on Composition Functions again. Thank you @​AndrewChubatiuk for contributing this fix!

What's Changed

Full Changelog: crossplane/crossplane@v1.11.2...v1.11.3

v1.11.2

Compare Source

v1.11.2 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.1...v1.11.2

v1.11.1

Compare Source

v1.11.1 contains a fix for Composition Functions causing extra resources to be created (#​3774), applies the --pollInterval CLI argument to the Claim and Composite reconcilers (#​3773), and adds the Composite Kind and APIVersion information to the kubectl get output columns for Compositions and CompositionRevisions. Additional dependency and CI updates are also included.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.0...v1.11.1

v1.11.0

Compare Source

Release v1.11.0 is a regularly scheduled quarterly release that includes many exciting features that have been highly requested by the Crossplane community, such as Composition Functions, EnvironmentConfig, and promoting CompositionRevisions to beta.

Additionally, this v1.11.0 release includes a major documentation rewrite based on direct feedback from Crossplane users, and also focuses on stability fixes and design investigations.

New Features

  • Composition Function support introduced in alpha by @​negz in https://github.com/crossplane/crossplane/pull/2886. You are now able to write your own custom composition logic, in any programming language of your choice, to augment Crossplane’s built-in patching and transform capabilities.
  • EnvironmentConfig support introduced in alpha by @​MisterMX in https://github.com/crossplane/crossplane/pull/3007. It’s now possible to patch resources within a Composition by using configuration data from the general runtime environment, as opposed to being constrained to information available within a single composite resource.
  • Promoted CompositionRevisions to v1beta1 and are now enabled by default by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3453. CompositionRevisions have been improved with feedback from the community and are now stabilized and ready for general production usage.
  • The Crossplane documentation website has been redesigned to give users of Crossplane a better educational experience, whether they are new to the project or more advanced. Check out the new docs site at https://docs.crossplane.io/ and let us know your feedback in the docs repo!

Notable Updates

What's Changed

New Contributors

Full Changelog: crossplane/crossplane@v1.10.0...v1.11.0

v1.10.4

Compare Source

v1.10.4 bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

  • Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

Full Changelog: crossplane/crossplane@v1.10.3...v1.10.4

v1.10.3

Compare Source

v1.10.3 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

Full Changelog: crossplane/crossplane@v1.10.2...v1.10.3

v1.10.2

Compare Source

The v1.10.2 release includes fixes for restoring the documented packagePullPolicy: Always behavior (https://github.com/crossplane/crossplane/pull/3581) as well as a follow-up fix to https://github.com/crossplane/crossplane/pull/3426 for constantly enqueued reconciles for ProviderRevisions marked as Inactive (https://github.com/crossplane/crossplane/pull/3582). There were also numerous documentation fixes and minor dependency updates.

What's Changed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the automated label Jun 9, 2023
@renovate renovate bot changed the title Update module github.com/crossplane/crossplane to v1.10.3 [SECURITY] Update module github.com/crossplane/crossplane to v1.10.3 [SECURITY] - autoclosed Jun 12, 2023
@renovate renovate bot closed this Jun 12, 2023
@renovate renovate bot deleted the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch June 12, 2023 13:38
@renovate renovate bot changed the title Update module github.com/crossplane/crossplane to v1.10.3 [SECURITY] - autoclosed Update module github.com/crossplane/crossplane to v1.10.3 [SECURITY] Jun 13, 2023
@renovate renovate bot reopened this Jun 13, 2023
@renovate renovate bot restored the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch June 13, 2023 00:47
@renovate renovate bot force-pushed the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch from 183ad53 to 59b8b46 Compare June 13, 2023 00:47
@renovate renovate bot force-pushed the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch from 59b8b46 to daef4ef Compare July 9, 2023 10:37
@renovate renovate bot force-pushed the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch from daef4ef to 1585589 Compare July 28, 2023 19:47
@renovate renovate bot changed the title Update module github.com/crossplane/crossplane to v1.10.3 [SECURITY] Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] Jul 28, 2023
@renovate renovate bot force-pushed the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch from 1585589 to 85211e5 Compare March 7, 2024 14:56
@renovate renovate bot changed the title Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] - autoclosed Aug 6, 2024
@renovate renovate bot closed this Aug 6, 2024
@renovate renovate bot deleted the renovate/go-git.luolix.top/crossplane/crossplane-vulnerability branch August 6, 2024 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulucinar ulucinar Awaiting requested review from ulucinar ulucinar is a code owner

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

Assignees
No one assigned
Labels
automated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants