CVE to Fix, what sort of timing is aimed for?

[soostdijck]

Hi Folks,

I'm working on a internal document to select an OS for my company's Kubernetes clusters. At the moment flatcar is high on the list, but I have to take into account requirements from my infosec colleagues.

Internally I have guidelines about how long my systems are allowed to take before a CVE should be fixed (when a fix is available). The higher the CVSS score the shorter the time-to-fix. So far that all makes sense in a enterprise setting. I read in the docs that if a critical problem is found a new flatcar version with the fix will be released in a expedited fashion. I'm just wondering the sort of timelines I can expect?

Additionally I have questions about CIS Benchmarking flatcar. I see that efforts were made in the past, but there seem to be no updates since 2022. Is this still on the roadmap?

Thanks in advance,
Sjoerd.

[tormath1]

Hello @soostdijck and thanks for your interest in Flatcar. Releases are usually monthly cadenced and we aim to have a fortnightly cadence. Most of the time, CVEs are fixed in the Alpha channels and backported to Beta / Stable channels when criticals / easily exploitable / no mitigation available.

Flatcar is present on some private mailing list where software will share in advance CVE and patches to fix the CVE (e.g OpenSSL) at this point, we can build Flatcar releases and release the day the CVE is made public. (e.g: with regreSSHion, we released the same day of the public announcement).

Here's a blogpost about the embargoed issue workflow: https://www.flatcar.org/blog/2022/11/about-the-handling-of-embargoed-security-issues/

I hope it answers some your question.