Image scan has detect CVE-2021-3538 #4715

albertschwarzkopf · 2022-02-25T09:49:43Z

Hi, trivy image scanner has detect 1 critical vulnerability in the latest version:

trivy image k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0
2022-02-25T10:24:50.270+0100	INFO	Detected OS: debian
2022-02-25T10:24:50.270+0100	INFO	Detecting Debian vulnerabilities...
2022-02-25T10:24:50.270+0100	INFO	Number of language-specific files: 1
2022-02-25T10:24:50.270+0100	INFO	Detecting gobinary vulnerabilities...

k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0 (debian 11.2)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


cluster-autoscaler (gobinary)
=============================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 1)

+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |            FIXED VERSION            |                TITLE                 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538    | CRITICAL | v1.2.0            | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs    |
|                           |                  |          |                   |                                     | generated via insecure randomness    |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-3538 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+
| k8s.io/kubernetes         | CVE-2020-8554    | MEDIUM   | v1.23.0           |                                     | kubernetes: MITM using               |
|                           |                  |          |                   |                                     | LoadBalancer or ExternalIPs          |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8554 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+--------------------------------------+

Could you please fix this?

Which component are you using?:

cluster-autoscaler

What version of the component are you using?:

Component version:
image-tag: v1.23.0
Chart-Version: 9.15.0

What k8s version are you using (kubectl version)?:

AWS EKS 1.21

What environment is this in?:

AWS EKS

What did you expect to happen?:

No critical vulnerabilites

What happened instead?:

1 critical vulnerability

How to reproduce it (as minimally and precisely as possible):

trivy image k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0

The text was updated successfully, but these errors were encountered:

sergeyshevch · 2022-03-18T17:10:14Z

I've made a little research about this bug and want to add more context into this issue

go mod why github.com/satori/go.uuid
# github.com/satori/go.uuid
k8s.io/autoscaler/cluster-autoscaler/cloudprovider/alicloud/alibaba-cloud-sdk-go/sdk/utils
github.com/satori/go.uuid

So we need to update alibaba-cloud-sdk-go to solve this issue. alibaba-cloud-sdk-go was vendored in 2018 in this repo (962826e). New versions of alibaba-cloud-sdk-go doesn't contain such package as a dependency.

I can make a PR to update alibaba-cloud-sdk-go but I can't test it.
@ringtail Can you then test my PR or you can update this SDK by yourself?

sergeyshevch · 2022-03-18T17:11:10Z

/assign

damienleger · 2022-03-31T13:07:46Z

The v1.21.2 image (EKS 1.21 is the last version available atm on AWS) and v1.22.2 also have the CVE-2021-3538 ⚠️

$ trivy version
Version: 0.25.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-03-31 12:11:44.661302354 +0000 UTC
  NextUpdate: 2022-03-31 18:11:44.661301954 +0000 UTC
  DownloadedAt: 2022-03-31 13:01:36.478794654 +0000 UTC

$ trivy image --no-progress k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.2
2022-03-31T13:02:23.600Z        INFO    Detected OS: debian
2022-03-31T13:02:23.600Z        INFO    Detecting Debian vulnerabilities...
2022-03-31T13:02:23.601Z        INFO    Number of language-specific files: 1
2022-03-31T13:02:23.601Z        INFO    Detecting gobinary vulnerabilities...

k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.2 (debian 11.1)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


cluster-autoscaler (gobinary)
=============================
Total: 8 (UNKNOWN: 1, LOW: 2, MEDIUM: 3, HIGH: 1, CRITICAL: 1)

+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |            FIXED VERSION            |                 TITLE                 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538    | CRITICAL | v1.2.0            | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs     |
|                           |                  |          |                   |                                     | generated via insecure randomness     |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-3538  |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| golang.org/x/text         | CVE-2021-38561   | UNKNOWN  | v0.3.4            | 0.3.7                               | Due to improper index calculation,    |
|                           |                  |          |                   |                                     | an incorrectly formatted              |
|                           |                  |          |                   |                                     | language tag can cause...             |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| k8s.io/kubernetes         | CVE-2021-25741   | HIGH     | v1.21.0           | 1.19.15, 1.20.11, 1.21.5,           | kubernetes: Symlink exchange          |
|                           |                  |          |                   | 1.22.2                              | can allow host filesystem access      |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-25741 |
+                           +------------------+----------+                   +-------------------------------------+---------------------------------------+
|                           | CVE-2020-8554    | MEDIUM   |                   |                                     | kubernetes: MITM using                |
|                           |                  |          |                   |                                     | LoadBalancer or ExternalIPs           |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8554  |
+                           +------------------+          +                   +-------------------------------------+---------------------------------------+
|                           | CVE-2020-8561    |          |                   |                                     | kubernetes: Webhook                   |
|                           |                  |          |                   |                                     | redirect in kube-apiserver            |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8561  |
+                           +------------------+          +                   +-------------------------------------+---------------------------------------+
|                           | CVE-2021-25737   |          |                   | 1.18.19, 1.19.10, 1.20.7,           | kubernetes: Holes in EndpointSlice    |
|                           |                  |          |                   | 1.21.1                              | Validation Enable Host Network Hijack |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-25737 |
+                           +------------------+----------+                   +-------------------------------------+---------------------------------------+
|                           | CVE-2020-8562    | LOW      |                   | 1.21.1, 1.21.1, 1.19.11,            | kubernetes: Bypass of Kubernetes      |
|                           |                  |          |                   | 1.18.19, 1.18.19                    | API Server proxy TOCTOU               |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8562  |
+                           +------------------+          +                   +-------------------------------------+---------------------------------------+
|                           | CVE-2021-25740   |          |                   |                                     | kubernetes: Endpoint &                |
|                           |                  |          |                   |                                     | EndpointSlice permissions allow       |
|                           |                  |          |                   |                                     | cross-Namespace forwarding            |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-25740 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+

$ trivy image --no-progress k8s.gcr.io/autoscaling/cluster-autoscaler:v1.22.2
2022-03-31T13:02:31.667Z        INFO    Detected OS: debian
2022-03-31T13:02:31.667Z        INFO    Detecting Debian vulnerabilities...
2022-03-31T13:02:31.667Z        INFO    Number of language-specific files: 1
2022-03-31T13:02:31.667Z        INFO    Detecting gobinary vulnerabilities...

k8s.gcr.io/autoscaling/cluster-autoscaler:v1.22.2 (debian 11.1)
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


cluster-autoscaler (gobinary)
=============================
Total: 6 (UNKNOWN: 1, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |            FIXED VERSION            |                 TITLE                 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| github.com/satori/go.uuid | CVE-2021-3538    | CRITICAL | v1.2.0            | 1.2.1-0.20181016170032-d91630c85102 | satori/go.uuid: predictable UUIDs     |
|                           |                  |          |                   |                                     | generated via insecure randomness     |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-3538  |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| golang.org/x/text         | CVE-2021-38561   | UNKNOWN  | v0.3.6            | 0.3.7                               | Due to improper index calculation,    |
|                           |                  |          |                   |                                     | an incorrectly formatted              |
|                           |                  |          |                   |                                     | language tag can cause...             |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+
| k8s.io/kubernetes         | CVE-2021-25741   | HIGH     | v1.22.0           | 1.19.15, 1.20.11, 1.21.5,           | kubernetes: Symlink exchange          |
|                           |                  |          |                   | 1.22.2                              | can allow host filesystem access      |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-25741 |
+                           +------------------+----------+                   +-------------------------------------+---------------------------------------+
|                           | CVE-2020-8554    | MEDIUM   |                   |                                     | kubernetes: MITM using                |
|                           |                  |          |                   |                                     | LoadBalancer or ExternalIPs           |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8554  |
+                           +------------------+          +                   +-------------------------------------+---------------------------------------+
|                           | CVE-2020-8561    |          |                   |                                     | kubernetes: Webhook                   |
|                           |                  |          |                   |                                     | redirect in kube-apiserver            |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2020-8561  |
+                           +------------------+----------+                   +-------------------------------------+---------------------------------------+
|                           | CVE-2021-25740   | LOW      |                   |                                     | kubernetes: Endpoint &                |
|                           |                  |          |                   |                                     | EndpointSlice permissions allow       |
|                           |                  |          |                   |                                     | cross-Namespace forwarding            |
|                           |                  |          |                   |                                     | -->avd.aquasec.com/nvd/cve-2021-25740 |
+---------------------------+------------------+----------+-------------------+-------------------------------------+---------------------------------------+

ringtail · 2022-04-07T03:19:11Z

@IrisIris pls follow it up.

m-barthelemy · 2022-05-29T00:27:28Z

According to our Trivy scans, the latest image for 1.24 is also affected.
Would it be possible to make a hotfix release and generate new images?

m-barthelemy · 2022-06-15T03:41:42Z

Hi, is there a chance we could get a new minor release + image generated with the vulnerability fix?

ringtail · 2022-06-23T09:50:19Z

@IrisIris ping here.

tallclair · 2022-07-01T23:28:56Z

/assign @bskiba @MaciekPytel @mwielgus

PTAL

m-barthelemy · 2022-07-20T07:21:05Z

Useless ping, but since this has been opened more than 5 months ago...
I am aware that full testing of the required changes seems to be difficult as it requires validation on a specific cloud provider (Alicloud) which I don't use unfortunately.

IrisIris · 2022-07-21T11:35:55Z

I fixed this issue, but still need some time to do full tests. I'll do my best to PR no later than next Wednesday.

maartenvanderhoef · 2022-09-28T09:09:01Z

This CVE is the only one as all others have been fixed, it would be great if this one can be crossed of the list.

k8s-triage-robot · 2022-12-27T09:29:27Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot · 2023-01-26T10:21:53Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot · 2023-02-25T10:56:16Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen
Mark this issue as fresh with /remove-lifecycle rotten
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot · 2023-02-25T10:56:21Z

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied

After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied

After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen

Mark this issue as fresh with /remove-lifecycle rotten

Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

…es#5716

albertschwarzkopf added the kind/bug Categorizes issue or PR as related to a bug. label Feb 25, 2022

sebastien-prudhomme mentioned this issue Feb 25, 2022

Image scan has detect several vulnerabilites in vertical-pod-autoscaler cowboysysop/charts#135

Closed

jbartosik added the area/cluster-autoscaler label Feb 25, 2022

k8s-ci-robot assigned sergeyshevch Mar 18, 2022

IrisIris pushed a commit to IrisIris/autoscaler that referenced this issue Apr 12, 2022

upgrade alibaba-cloud-sdk-go for kubernetes#4715

e54d07f

sergeyshevch removed their assignment Jun 30, 2022

k8s-ci-robot assigned bskiba, MaciekPytel and mwielgus Jul 1, 2022

IrisIris mentioned this issue Jul 22, 2022

upgrade alibaba-cloud-sdk-go for #4715 #5041

Closed

IrisIris added a commit to IrisIris/autoscaler that referenced this issue Jul 22, 2022

upgrade alibaba-cloud-sdk-go for kubernetes#4715

4d59e28

IrisIris mentioned this issue Jul 22, 2022

upgrade alibaba-cloud-sdk-go for #4715 #5042

Closed

IrisIris added a commit to IrisIris/autoscaler that referenced this issue Oct 10, 2022

upgrade alibaba-cloud-sdk-go for kubernetes#4715

6481b2b

IrisIris added a commit to IrisIris/autoscaler that referenced this issue Oct 10, 2022

upgrade alibaba-cloud-sdk-go for kubernetes#4715

dfc9051

IrisIris pushed a commit to IrisIris/autoscaler that referenced this issue Oct 21, 2022

upgrade alibaba-cloud-sdk-go for kubernetes#4715 kubernetes#5218

86ab8dc

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 27, 2022

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 26, 2023

k8s-ci-robot added the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 26, 2023

k8s-ci-robot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 25, 2023

Shubham82 mentioned this issue Apr 28, 2023

AWS secuiry scans Critical CVE-2021-3538 - github.com/satori/go.uuid #5716

Closed

IrisIris added a commit to IrisIris/autoscaler that referenced this issue May 9, 2023

upgrade alibaba-cloud-sdk-go for kubernetes#4715 kubernetes#5716

0a5fadd

IrisIris added a commit to IrisIris/autoscaler that referenced this issue May 9, 2023

upgrade alibaba-cloud-sdk-go for kubernetes#4715 kubernetes#5716

587531d

IrisIris added a commit to IrisIris/autoscaler that referenced this issue May 9, 2023

upgrade alibaba-cloud-sdk-go to v1.61.62 for kubernetes#4715 kubernet…

32c8681

…es#5716

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Image scan has detect CVE-2021-3538 #4715

Image scan has detect CVE-2021-3538 #4715

albertschwarzkopf commented Feb 25, 2022

sergeyshevch commented Mar 18, 2022 •

edited

Loading

sergeyshevch commented Mar 18, 2022

damienleger commented Mar 31, 2022

ringtail commented Apr 7, 2022

m-barthelemy commented May 29, 2022

m-barthelemy commented Jun 15, 2022

ringtail commented Jun 23, 2022

tallclair commented Jul 1, 2022

m-barthelemy commented Jul 20, 2022

IrisIris commented Jul 21, 2022

maartenvanderhoef commented Sep 28, 2022

k8s-triage-robot commented Dec 27, 2022

k8s-triage-robot commented Jan 26, 2023

k8s-triage-robot commented Feb 25, 2023

k8s-ci-robot commented Feb 25, 2023

Image scan has detect CVE-2021-3538 #4715

Image scan has detect CVE-2021-3538 #4715

Comments

albertschwarzkopf commented Feb 25, 2022

sergeyshevch commented Mar 18, 2022 • edited Loading

sergeyshevch commented Mar 18, 2022

damienleger commented Mar 31, 2022

ringtail commented Apr 7, 2022

m-barthelemy commented May 29, 2022

m-barthelemy commented Jun 15, 2022

ringtail commented Jun 23, 2022

tallclair commented Jul 1, 2022

m-barthelemy commented Jul 20, 2022

IrisIris commented Jul 21, 2022

maartenvanderhoef commented Sep 28, 2022

k8s-triage-robot commented Dec 27, 2022

k8s-triage-robot commented Jan 26, 2023

k8s-triage-robot commented Feb 25, 2023

k8s-ci-robot commented Feb 25, 2023

sergeyshevch commented Mar 18, 2022 •

edited

Loading