[BUG] CVE-2022-2068, CVE-2022-1292

[warchal-tomasz]

Describe the bug

The CVE-2022-2068, CVE-2022-1292 have been found in Longhorn v1.6.0 images by brinqa scanner.

To Reproduce

Install Longhorn by helm in version v1.6.0

k3s crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                       ATTEMPT             POD ID              POD
13c6c5b1cff4a       9f4c1b666bd8c       3 days ago          Running             longhorn-csi-plugin        14                  8a35b5a19cecf       longhorn-csi-plugin-kl8zt
2e64ec0f186b4       9f4c1b666bd8c       3 days ago          Running             longhorn-manager           7                   0940456ab3c80       longhorn-manager-cx6c2
9e859793f458b       f772ce9ba10a4       3 days ago          Running             engine-image-ei-acb7590c   7                   0987b3ffa0ae5       engine-image-ei-acb7590c-xlfnz
d90e0c906295f       2e4eb3ba8dca0       3 days ago          Running             instance-manager           0                   64b553144b3e5       instance-manager-2e175aa07509ec12832b39060d7e7804

k3s crictl images
IMAGE                                                    TAG                 IMAGE ID            SIZE
docker.io/longhornio/longhorn-manager                    v1.6.0              9f4c1b666bd8c       111MB
docker.io/longhornio/longhorn-engine                     v1.6.0              f772ce9ba10a4       136MB
docker.io/longhornio/longhorn-instance-manager           v1.6.0              2e4eb3ba8dca0       269MB

Brinqa scanner outputs

CVE-2022-1292
Description:

The version of OpenSSL installed on the remote host is prior to 1.1.1o. It is, therefore, affected by a vulnerability as referenced in the 1.1.1o advisory.

  - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This     script is distributed by some operating systems in a manner where it is automatically executed. On such     operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of     the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.
    Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).
    Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output:

  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o

CVE-2022-2068
Description:

The version of OpenSSL installed on the remote host is prior to 1.1.1p. It is, therefore, affected by a vulnerability as referenced in the 1.1.1p advisory.

  - In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances     where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection     were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other     places in the script where the file names of certificates being hashed were possibly passed to a command     executed through the shell. This script is distributed by some operating systems in a manner where it is     automatically executed. On such operating systems, an attacker could execute arbitrary commands with the     privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the     OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in     OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output:

  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/13c6c5b1cff4a3b187c0775d7893ec799f5efb9dc866a52dab8baf428e367f00/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/2e64ec0f186b4a83d270478ea0f84f013368514fd5b39d95343056946e989898/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/9e859793f458b26fc0fa4cdab2112087da192bcb464187178a9dad4e3456200e/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/d90e0c906295fa84b8307c3fac726a8070ae99516619fe2ef02b2a44b28b4b8d/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/313/fs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p

Expected behavior

Fix vulnerabilities in Longhorn images.

Environment

• Longhorn version: v1.6.0
• Installation method (e.g. Rancher Catalog App/Helm/Kubectl): Helm
• Kubernetes distro (e.g. RKE/K3s/EKS/OpenShift) and version: v1.25.11+k3s1
• Node config
  • OS type and version: Ubuntu 22.04.4 LTS
  • Kernel version: 5.15.0-106-generic
• Underlying Infrastructure (e.g. on AWS/GCE, EKS/GKE, VMWare/KVM, Baremetal): KVM

[derekbit]

cc @c3y1huang

[c3y1huang]

Looks like these issues are from the binaries installed on the image. The package and host package should be updated with each release. @warchal-tomasz could you run the scan for v1.6.1?

[PhanLe1010]

Sorry for a native question. Which image are we thinking that they have problem?

[warchal-tomasz]

Sorry for a native question. Which image are we thinking that they have problem?

We are speaking about

docker.io/longhornio/longhorn-manager                    v1.6.0              9f4c1b666bd8c       111MB
docker.io/longhornio/longhorn-engine                     v1.6.0              f772ce9ba10a4       136MB
docker.io/longhornio/longhorn-instance-manager           v1.6.0              2e4eb3ba8dca0       269MB

[warchal-tomasz]

Looks like these issues are from the binaries installed on the image. The package and host package should be updated with each release. @warchal-tomasz could you run the scan for v1.6.1?

Unfortunately there is no such possibility without the upgrade of the longhorn engine in the cluster in my case. The same vulnerabilities are found also in previous versions 1.5.x