Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rebuild base images at release time to fix CVEs #2768

Open
dkoshkin opened this issue Jan 22, 2024 · 6 comments · May be fixed by #2771
Open

Rebuild base images at release time to fix CVEs #2768

dkoshkin opened this issue Jan 22, 2024 · 6 comments · May be fixed by #2771
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@dkoshkin
Copy link

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug
/kind feature

What happened:
The base image gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest used by the driver and syncer has some CRITICAL and HIGH CVEs.

CVEs in gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest 

gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest (photon 4.0)
=======================================================================
Total: 11 (HIGH: 8, CRITICAL: 3)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ curl        │ CVE-2023-38545 │ CRITICAL │ fixed  │ 8.1.2-2.ph4       │ 8.1.2-6.ph4   │ curl: heap based buffer overflow in the SOCKS5 proxy   │
│             │                │          │        │                   │               │ handshake                                              │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38545             │
│             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│             │ CVE-2023-38039 │ HIGH     │        │                   │ 8.1.2-5.ph4   │ curl: out of heap memory issue due to missing limit on │
│             │                │          │        │                   │               │ header...                                              │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38039             │
├─────────────┼────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│ curl-libs   │ CVE-2023-38545 │ CRITICAL │        │                   │ 8.1.2-6.ph4   │ curl: heap based buffer overflow in the SOCKS5 proxy   │
│             │                │          │        │                   │               │ handshake                                              │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38545             │
│             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│             │ CVE-2023-38039 │ HIGH     │        │                   │ 8.1.2-5.ph4   │ curl: out of heap memory issue due to missing limit on │
│             │                │          │        │                   │               │ header...                                              │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38039             │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ glibc       │ CVE-2023-5156  │          │        │ 2.32-11.ph4       │ 2.32-14.ph4   │ glibc: DoS due to memory leak in getaddrinfo.c         │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5156              │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libssh2     │ CVE-2020-22218 │          │        │ 1.10.0-1.ph4      │ 1.11.0-1.ph4  │ libssh2: use-of-uninitialized-value in                 │
│             │                │          │        │                   │               │ _libssh2_transport_read                                │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-22218             │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ nss-libs    │ CVE-2023-0767  │          │        │ 3.72-3.ph4        │ 3.72-4.ph4    │ Arbitrary memory write via PKCS 12                     │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0767              │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ openssl     │ CVE-2023-4807  │          │        │ 3.0.9-5.ph4       │ 3.0.9-6.ph4   │ POLY1305 MAC implementation corrupts XMM registers on  │
│             │                │          │        │                   │               │ Windows                                                │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4807              │
│             ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│             │ CVE-2023-5363  │          │        │                   │ 3.0.9-7.ph4   │ openssl: Incorrect cipher key and IV length processing │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2023-7104  │          │        │ 3.38.5-2.ph4      │ 3.38.5-4.ph4  │ sqlite: heap-buffer-overflow at sessionfuzz            │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-7104              │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ zlib        │ CVE-2023-45853 │ CRITICAL │        │ 1.2.11-5.ph4      │ 1.2.11-6.ph4  │ zlib: integer overflow and resultant heap-based buffer │
│             │                │          │        │                   │               │ overflow in zipOpenNewFileInZip4_6                     │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45853             │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

I've rebuilt the base image from main and it had 0 Critical/High CVEs.

CVEs in gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab 
gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab (photon 4.0)
=========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

What you expected to happen:
Can we consider rebuilding the base image on every release, somewehre in https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/hack/release.sh ?

How to reproduce it (as minimally and precisely as possible):

Check CVEs:

trivy image --severity HIGH,CRITICAL gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest

Anything else we need to know?:

I would happy to work on this if someone can point me in the right direction.

Environment:

  • csi-vsphere version:
  • vsphere-cloud-controller-manager version:
  • Kubernetes version:
  • vSphere version:
  • OS (e.g. from /etc/os-release):
  • Kernel (e.g. uname -a):
  • Install tools:
  • Others:
@divyenpatel
Copy link
Member

@dkoshkin thanks for reporting this issue.

We have just re-built the base driver image and pushed it as latest.

% make build
docker build -t gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab --build-arg GIT_COMMIT=100d56ab76bbde05b4795d1e675952c9307f13f8 .
[+] Building 9.5s (7/7) FINISHED                                                                                                                                            
 => [internal] load build definition from Dockerfile                                                                                                                   0.0s
 => => transferring dockerfile: 866B                                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/photon:4.0                                                                                                          3.0s
 => [auth] library/photon:pull token for registry-1.docker.io                                                                                                          0.0s
 => [1/2] FROM docker.io/library/photon:4.0@sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb                                                    1.1s
 => => resolve docker.io/library/photon:4.0@sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb                                                    0.0s
 => => sha256:a338a97f9e1bdd166aa236264ae981dbecb3b26dff9ce551890569ece187badb 547B / 547B                                                                             0.0s
 => => sha256:acdab5c315d9e9a5b7252df305dffcfe5686800a338d89e198bf93f49beefe07 529B / 529B                                                                             0.0s
 => => sha256:62c1f7f929000cae58792dc957c9b58ba9ddf2b3f0abe96baed46a64557a94be 1.81kB / 1.81kB                                                                         0.0s
 => => sha256:a64791008645b453a3573695334dda7a049fa567cf2642a50b11a0bc0e5a3562 16.17MB / 16.17MB                                                                       0.8s
 => => extracting sha256:a64791008645b453a3573695334dda7a049fa567cf2642a50b11a0bc0e5a3562                                                                              0.3s
 => [2/2] RUN tdnf -y upgrade && tdnf clean all                                                                                                                        5.3s
 => exporting to image                                                                                                                                                 0.0s
 => => exporting layers                                                                                                                                                0.0s
 => => writing image sha256:9bb548f40ac2f75793ff27dfe2ca61f67287dd19a9f3ffc7278c60aa7c7e8843                                                                           0.0s
 => => naming to gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab                                                                                          0.0s
docker tag gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest

 % make push
logging into gcr.io registry with gcloud auth helper
docker push gcr.io/cloud-provider-vsphere/extra/csi-driver-base:100d56ab
The push refers to repository [gcr.io/cloud-provider-vsphere/extra/csi-driver-base]
d38a254ea51a: Pushed 
9efa0a363efe: Pushed 
100d56ab: digest: sha256:14a36f13eca60e7ad130af4494c8723e11b304d7a2621bc920be0a42fd9b93aa size: 736
docker push gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest
The push refers to repository [gcr.io/cloud-provider-vsphere/extra/csi-driver-base]
d38a254ea51a: Layer already exists 
9efa0a363efe: Layer already exists 
latest: digest: sha256:14a36f13eca60e7ad130af4494c8723e11b304d7a2621bc920be0a42fd9b93aa size: 736

@dkoshkin
Copy link
Author

Thanks @divyenpatel, just verified and see it

trivy image --severity HIGH,CRITICAL gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest
2024-01-22T15:09:45.478-0800    INFO    Vulnerability scanning is enabled
2024-01-22T15:09:45.478-0800    INFO    Secret scanning is enabled
2024-01-22T15:09:45.478-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-22T15:09:45.478-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-22T15:09:47.955-0800    INFO    Detected OS: photon
2024-01-22T15:09:47.955-0800    INFO    Detecting Photon Linux vulnerabilities...
2024-01-22T15:09:47.957-0800    INFO    Number of language-specific files: 0

gcr.io/cloud-provider-vsphere/extra/csi-driver-base:latest (photon 4.0)

Total: 0 (HIGH: 0, CRITICAL: 0)

What the cadence of these being rebuilt? Any way to make it automated so that new releases pick up the CVE fixes?

@divyenpatel
Copy link
Member

What the cadence of these being rebuilt?

We do re-build on every major new release.

Any way to make it automated so that new releases pick up the CVE fixes?

We are thinking to merging it with driver and syncer image so we don't need to worry about rebuilding base image for every release.

@dkoshkin
Copy link
Author

dkoshkin commented Jan 22, 2024
edited

We are thinking to merging it with driver and syncer image so we don't need to worry about rebuilding base image for every release.

👍 That makes sense to me @divyenpatel, please let me know if I can help with that effort.

@dkoshkin dkoshkin linked a pull request Jan 25, 2024 that will close this issue
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 22, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: drop base image dkoshkin/vsphere-csi-driver
4 participants
@dkoshkin @k8s-ci-robot @divyenpatel @k8s-triage-robot