Versions Compared

Old Version 1

changes.mady.by.user Kuralamudhan Ramakrishnan (Deactivated)

Saved on

compared with

New Version Current

changes.mady.by.user jin peng

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Approved Blueprints

IEC Type 2
  • Information Disclosure:  Exposed pods.   An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint.
  • KHV043 (Information Disclosure):  Cluster Health Disclosure.  By accessing the open /healthz handler, an attacker could get the cluster health state without authenticating.
    • KHV044  (Access Risk):  Pivileged Container.  A privileged container exists on a node, could expose the node /cluster to unwanted root operations.

    the security issues observed seem to be specific to microk8s cluster. We ran the sonobuoy tests & kube-hunter against k3s and there are no issues in the master setup. We are working with Canonical to review our configuration.

    The following exceptions must be fixed prior to maturity review:


    		Project Name

    Vuls Scan

    • Pass/Fail
    • Exceptions

    Lynis Scan

    • Pass/Fail
    • Exceptions

    Kube-Hunter Scan

    • Pass/Fail
    • Exceptions
    1ELIOT SD-WAN/WAN Edge/uCPE Blueprint

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
    		2Enterprise Applications on Lightweight 5G Telco Edge

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
    		3Public Cloud Edge Interface (PCEI) Blueprint

    The following exceptions must be fixed prior to maturity review:

    1. test ID AUTH-9328 (Default umask values)

    Reason: <Oleg Berzin> Cannot fix AUTH-9328 because changing unmask value to 027 caused lynis test suite to fail (does not run)

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
    		4The AI Edge: Federated ML application at edgeRelease 5: Akraino CVE Vulnerability Exception Request5KNI Provider Access Edge

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
    		6KNI Industrial Edge

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
    		7

    Smart Data Transaction for CPS

    See results here

    Logs: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-vuls/2/

    Exceptions requested for the following:

    CVE-2016-1585
    CVE-2021-20236
    CVE-2021-31870
    CVE-2021-31872
    CVE-2021-31873
    CVE-2021-33574
    CVE-2021-45951
    CVE-2021-45952
    CVE-2021-45953
    CVE-2021-45954
    CVE-2021-45955
    CVE-2021-45956
    CVE-2021-45957
    CVE-2022-23218
    CVE-2022-23219
    CVE-2016-9180
    CVE-2021-35942

    Exception Requests

    Passing incubation criteria

    See results here

    Logs: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-lynis/2/

    Pass

    *1 Test case failure due to suspected tool issue

    See results here

    Logs: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-bluval/2/

    2Integrated Cloud Native NFV/App stack family (Short term: ICN)

    See results here

    Exceptions requested for the following:

    • CVE-2021-33574
    • CVE-2019-19814
    • CVE-2021-35942

    Exception requests


    See results here

    Exceptions requested for the following:

    • BOOT-5122: GRUB boot password interferes with the unattended reboot during OS provisioning.
    • USB-2000: USB hubs and HID device must be enabled for BMC Console Redirection.
    • SSH-7408: MaxSessions of 2 prevents lynis from running under Bluval.  Lynis, etc. robot files need to be updated to handle a different port.
    • KRNL-6000: Kernel module loading required by accelerator drivers.  Forwarding required by k8s.

    See results here

    Pass

    3

    IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family

    See results here

    Exceptions requested for the following:

    CVE-2021-43527
    CVE-2014-9939
    CVE-2015-4042
    CVE-2022-22822
    CVE-2022-22823
    CVE-2022-22824
    CVE-2022-23852
    CVE-2022-25235
    CVE-2022-25236
    CVE-2022-25315

    See results here

    Exceptions requested for the following:

    • BOOT-5122: GRUB boot password interferes with the unattended reboot during OS provisioning.
    • USB-2000: USB hubs and HID device must be enabled for BMC Console Redirection.
    • Performing test ID HRDN-7220  already exists Image Added

    See results here

    We are not using Kubernets, so we do not need to do a Kube-Hunter scan.

    4



    5



    6



    7



    8



    9



    10



    11



    12



    13



    14



    15



    16



    17



    18



    19



    20



    21



    22



    23



    24



    25



    26



    27



    28



    29



    30



    31



    32



    ...