Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address security vulnarabilities in the image/binary/repo #3538

Closed
humblec opened this issue Nov 15, 2022 · 26 comments
Closed

Address security vulnarabilities in the image/binary/repo #3538

humblec opened this issue Nov 15, 2022 · 26 comments
Assignees
Labels
component/testing Additional test cases or CI work dependency/ceph depends on core Ceph functionality keepalive This label can be used to disable stale bot activiity in the repo question Further information is requested

Comments

@humblec
Copy link
Collaborator

humblec commented Nov 15, 2022

Describe the bug

We are getting many reports against Ceph CSI image and the vulnerabilities it hold. it is required/better to address as much as we can.
as part of this effort I have started enabling trvivy scanner in the repo via #3537 and initial report says

quay.io/cephcsi/cephcsi:test (redhat 8.6)
=========================================
Total: 14 (UNKNOWN: 0, LOW: 1, MEDIUM: 12, HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬──────────────────────────────────────┬────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │          Installed Version           │             Fixed Version              │                            Title                             │
├───────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gnutls                │ CVE-2022-2509  │ MEDIUM   │ 3.6.16-5.el8                         │ 3.6.16-5.el8_6                         │ gnutls: Double free during gnutls_pkcs7_verify               │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2022-2509                    │
├───────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libksba               │ CVE-2022-3515  │ HIGH     │ 1.3.5-7.el8                          │ 1.3.5-8.el8_6                          │ libksba: integer overflow may lead to remote code execution  │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2022-3515                    │
├───────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ platform-python       │ CVE-2015-20107 │ MEDIUM   │ 3.6.8-47.el8                         │ 3.6.8-47.el8_6                         │ python: mailcap: findmatch() function does not sanitize the  │
│                       │                │          │                                      │                                        │ second argument                                              │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2015-20107                   │
│                       ├────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-0391  │          │                                      │                                        │ python: urllib.parse does not sanitize URLs containing ASCII │
│                       │                │          │                                      │                                        │ newline and tabs                                             │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2022-0391                    │
├───────────────────────┼────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│ platform-python-devel │ CVE-2015-20107 │          │                                      │                                        │ python: mailcap: findmatch() function does not sanitize the  │
│                       │                │          │                                      │                                        │ second argument                                              │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2015-20107                   │
│                       ├────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-0391  │          │                                      │                                        │ python: urllib.parse does not sanitize URLs containing ASCII │
│                       │                │          │                                      │                                        │ newline and tabs                                             │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2022-0391                    │
├───────────────────────┼────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│ python3-libs          │ CVE-2015-20107 │          │                                      │                                        │ python: mailcap: findmatch() function does not sanitize the  │
│                       │                │          │                                      │                                        │ second argument                                              │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2015-20107                   │
│                       ├────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-0391  │          │                                      │                                        │ python: urllib.parse does not sanitize URLs containing ASCII │
│                       │                │          │                                      │                                        │ newline and tabs                                             │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2022-0391                    │
├───────────────────────┼────────────────┤          ├──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python3-scipy         │ CVE-2021-20270 │          │ 1.0.0-21.module_el8.5.0+771+e5d9a225 │ 1.0.0-21.module+el8.5.0+10916+41bd434d │ python-pygments: Infinite loop in SML lexer may lead to DoS  │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2021-20270                   │
│                       ├────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2021-27291 │          │                                      │                                        │ python-pygments: ReDoS in multiple lexers                    │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2021-27291                   │
├───────────────────────┼────────────────┤          ├──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ python36              │ CVE-2021-20270 │          │ 3.6.8-38.module_el8.5.0+895+a459eca8 │ 3.6.8-38.module+el8.5.0+12207+5c5719bc │ python-pygments: Infinite loop in SML lexer may lead to DoS  │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2021-20270                   │
│                       ├────────────────┤          │                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2021-27291 │          │                                      │                                        │ python-pygments: ReDoS in multiple lexers                    │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2021-27291                   │
├───────────────────────┼────────────────┤          ├──────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs           │ CVE-2020-35527 │          │ 3.26.0-16.el8                        │ 3.26.0-16.el8_6                        │ sqlite: Out of bounds access during table rename             │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2020-35527                   │
│                       ├────────────────┼──────────┤                                      │                                        ├──────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-35525 │ LOW      │                                      │                                        │ sqlite: Null pointer derreference in src/select.c            │
│                       │                │          │                                      │                                        │ https://avd.aquasec.com/nvd/cve-2020-35525                   │
└───────────────────────┴────────────────┴──────────┴──────────────────────────────────────┴────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Python (python-pkg)
===================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

┌───────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                      Library                      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ joblib (PKG-INFO)                                 │ CVE-2022-21797 │ CRITICAL │ 0.16.0            │ 1.2.0         │ The package joblib from 0 and before 1.2.0 are vulnerable to │
│                                                   │                │          │                   │               │ Arbitrary...                                                 │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-21797                   │
├───────────────────────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ scikit-learn (scikit_learn-0.19.1-py3.6.egg-info) │ CVE-2020-13092 │          │ 0.19.1            │ 0.23.1        │ ** DISPUTED ** scikit-learn (aka sklearn) through 0.23.0 can │
│                                                   │                │          │                   │               │ unseriali ...                                                │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-13092                   │
│                                                   ├────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                                   │ CVE-2020-28975 │ HIGH     │                   │ 0.24.dev0     │ ** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, │
│                                                   │                │          │                   │               │ as used in...                                                │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-28975                   │
└───────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/cephcsi (gobinary)
================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 1)

┌────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Installed Version │       Fixed Version        │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/vault │ CVE-2020-16250 │ CRITICAL │ v1.4.2            │ 1.5.1, 1.5.1, 1.2.5, 1.3.8 │ Authentication Bypass by Spoofing                            │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-16250                   │
│                            ├────────────────┼──────────┤                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-32923 │ HIGH     │                   │ 1.7.2, 1.7.2, 1.7.2, 1.5.9 │ vault: Token leases incorrectly treated as non-expiring      │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-32923                   │
│                            ├────────────────┼──────────┤                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-38553 │ MEDIUM   │                   │ 1.8.0                      │ vault: Underlying database file with excessively broad       │
│                            │                │          │                   │                            │ filesystem permissions                                       │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-38553                   │
│                            ├────────────────┤          │                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-38554 │          │                   │ 1.6.6, 1.7.4               │ vault: UI erroneously cached and exposed user-viewed secrets │
│                            │                │          │                   │                            │ between sessions in a...                                     │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-38554                   │
│                            ├────────────────┤          │                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-41802 │          │                   │ 1.7.5, 1.8.4               │ vault: Incorrect Permission Assignment for Critical Resource │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-41802                   │
│                            ├────────────────┤          │                   ├────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-43998 │          │                   │ 1.7.6, 1.8.5               │ Incorrect Permission Assignment for Critical Resource        │
│                            │                │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-43998                   │
└────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────────┴──────────────────────────────────────────────────────────────┘
0s

@humblec humblec self-assigned this Nov 15, 2022
@nixpanic
Copy link
Member

Except for the CVEs in usr/local/bin/cephcsi, you'll need to report them to the Ceph team that builds the base container-image.

The Vault ones look related to the server only, not to the API/client?

@VladimirMarkelov
Copy link

Besides mentioned CVEs for Hashicorp, there is a newer one: CVE-2022-36129 (9.1 Critical): https://cve.report/CVE-2022-36129

Fixed in 1.11.1, 1.10.5, and 1.9.8 - https://discuss.hashicorp.com/t/vault-1-11-1-1-10-5-and-1-9-8-released/42389

@nixpanic
Copy link
Member

nixpanic commented Nov 23, 2022 via email

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the wontfix This will not be worked on label Dec 23, 2022
@github-actions
Copy link

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 30, 2022
@humblec humblec removed the wontfix This will not be worked on label Jan 4, 2023
@humblec humblec reopened this Jan 4, 2023
@mohag
Copy link
Contributor

mohag commented Jan 31, 2023

Except for the CVEs in usr/local/bin/cephcsi, you'll need to report them to the Ceph team that builds the base container-image.

It is possible update the packages from the Dockerfile... Updating it in the base image is better and smaller, but that works....

@humblec
Copy link
Collaborator Author

humblec commented Jan 31, 2023

Except for the CVEs in usr/local/bin/cephcsi, you'll need to report them to the Ceph team that builds the base container-image.

It is possible update the packages from the Dockerfile... Updating it in the base image is better and smaller, but that works....

@mohag we do that here already ? https://github.com/ceph/ceph-csi/blob/devel/deploy/cephcsi/image/Dockerfile#L31 or you mean something we are missing ?

@mohag
Copy link
Contributor

mohag commented Jan 31, 2023

It is possible update the packages from the Dockerfile... Updating it in the base image is better and smaller, but that works....

@mohag we do that here already ? https://github.com/ceph/ceph-csi/blob/devel/deploy/cephcsi/image/Dockerfile#L31 or you mean something we are missing ?

Like that yes, but in the release image (somewhere under line 59) as well (that one is in the build image)

@humblec
Copy link
Collaborator Author

humblec commented Jan 31, 2023

@mohag we can do that as well. do you want to submit a PR ? or I can do that. please let me know.

@mohag
Copy link
Contributor

mohag commented Jan 31, 2023

@mohag we can do that as well. do you want to submit a PR ? or I can do that. please let me know.

I'll attempt a PR.

@mohag
Copy link
Contributor

mohag commented Feb 1, 2023

A big part of the issue with the OS packages here is that the quay.io/centos/centos:8stream image seems to not be routinely updated. (the quay.io/ceph/ceph image uses that as a base) (It should be rebuilt every time an update to a package in that image is available. I could not track down the repo where those Dockerfiles are kept to try and nag them though)

@jeroenlandheer
Copy link

jeroenlandheer commented Feb 2, 2023

This is probably the one you're looking for: https://github.com/tgagor/docker-centos/blob/master/stream8/Dockerfile

Update: Nevermind, this wasn't the original image but an image that has a built-in update.

@mohag
Copy link
Contributor

mohag commented Feb 2, 2023

Let's see if we can get the underlying base images upgraded....

@github-actions
Copy link

github-actions bot commented Mar 4, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the wontfix This will not be worked on label Mar 4, 2023
@mohag
Copy link
Contributor

mohag commented Mar 9, 2023

The base images have been upgraded

@github-actions github-actions bot removed the wontfix This will not be worked on label Mar 9, 2023
@github-actions
Copy link

github-actions bot commented Apr 9, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the wontfix This will not be worked on label Apr 9, 2023
@github-actions
Copy link

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 16, 2023
@Starttoaster
Copy link

Starttoaster commented Apr 10, 2024

Can we get this re-opened? Joblib in particular in the ceph-csi image raises a cve score of 9.8 https://avd.aquasec.com/nvd/2022/cve-2022-21797/

Seems potentially worth looking at since it's vulnerable to arbitrary code execution. I'm running v3.11.0 which seems to be the newest version, and is still vulnerable to this.

@humblec humblec reopened this Apr 11, 2024
@humblec
Copy link
Collaborator Author

humblec commented Apr 11, 2024

Can we get this re-opened? Joblib in particular in the ceph-csi image raises a cve score of 9.8 https://avd.aquasec.com/nvd/2022/cve-2022-21797/

Seems potentially worth looking at since it's vulnerable to arbitrary code execution. I'm running v3.11.0 which seems to be the newest version, and is still vulnerable to this.

Considering most of the vulnerabilities are in base image, thats the place we have to look into

@Starttoaster
Copy link

Starttoaster commented Apr 11, 2024

If it's not a necessary dependency, the option of uninstalling it from the image in the Dockerfile here is an option that is available as well. If it is a necessary dependency, there's not much to really do (maybe look for alternatives) since there's apparently no patched version.

I understand that the maintainers of ceph-csi might find that to be less than a "clean" solution. But ceph-csi is a product that is only expected to be ran in a container. So hardening the production image everyone uses seems like it shouldn't be an incredibly tall order for this project to take on, imho, even if it's a stopgap to getting the fix in the upstream base image. Certainly not such a tall order that a 9.8 score CVE stays in the production image for a year and a half (the approximate age of this issue.)

I'd even be happy to try my hand at helping contribute this fix if the maintainers here are open to the fix being implemented here. I mean... it's an arbitrary code execution vulnerability in an image running as root in my clusters with host mode networking and touches my storage clusters. I feel like that sounds like a pretty important thing to tighten up. If I'm being melodramatic let me know, but it seems like something worth acting on last year. That all being said, I'm extremely grateful for the tool, both this cluster client, and ceph in general are amazing. Absolutely wanted to underscore I'm not undermining the awesomeness of it, I just want it to be awesome and actually reasonably secure to run.

@nixpanic nixpanic added the dependency/ceph depends on core Ceph functionality label Apr 11, 2024
@Starttoaster
Copy link

If ceph-csi's maintainers are dead set on the vulnerability resolution being implemented in the upstream container, can we get a link to the Issue tracking it upstream over here? I'd very much appreciate it!

@github-actions github-actions bot removed the wontfix This will not be worked on label Apr 11, 2024
@humblec
Copy link
Collaborator Author

humblec commented Apr 13, 2024

@Starttoaster Issues like : ceph/ceph-container#2077 try to cover this request.

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the wontfix This will not be worked on label May 13, 2024
@Starttoaster
Copy link

Still not stale. Relevant here but still tracking in ceph-container as well

@github-actions github-actions bot removed the wontfix This will not be worked on label May 16, 2024
@Rakshith-R Rakshith-R added the keepalive This label can be used to disable stale bot activiity in the repo label May 17, 2024
@Starttoaster
Copy link

This might be somewhat solved now. There's still a critical vulnerability but now it's just from slightly out of date Go dependencies, since this switched to a base CentOS Stream 9 image. Thanks @Madhu-1 !!

@Madhu-1
Copy link
Collaborator

Madhu-1 commented Aug 19, 2024

Closing this one as we have updated to use centos 9 image. @Starttoaster Thanks for checking, feel free to open issue for go dependencies :)

@Madhu-1 Madhu-1 closed this as completed Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/testing Additional test cases or CI work dependency/ceph depends on core Ceph functionality keepalive This label can be used to disable stale bot activiity in the repo question Further information is requested
Projects
None yet
Development

No branches or pull requests

8 participants