...
...
...
...
...
...
...
...
Blueprints that have vulnerabilities with a CVSS score >= 9.0 and meet the following criteria should submit their information in the chart below to have the vulnerability considered for an exception:
- Running at least the minimum OS version required by the Akraino Security Sub-Committee
- Ubuntu
- CentOS
- Debian
- Fedora
- Suse Enterprise Server
Legend
Ubuntu Priority/Score Descriptions
...
Blueprints that have vulnerabilities with a CVSS score >= 9.0 and meet the following criteria should submit their information in the chart below to have the vulnerability considered for an exception:
- Running at least the minimum OS version required by the Akraino Security Sub-Committee
- Ubuntu
- CentOS
- Debian
- Fedora
- Suse Enterprise Server
Legend
Priority/Score Descriptions
| Not Vulnerable | Packages which do not exist in the archive, are not affected by the vulnerability or have a fix applied in the archive. |
| Pending | A fix has been applied and updated packages are awaiting arrival into the archive. For example, this might be used when wider testing is requested for the updated package. |
| Unknown | Open vulnerability where the priority is currently unknown and needs to be triaged. |
| Negligible | Open vulnerability that may be a problem but otherwise does not impose a security risk due to various factors. Examples include when the vulnerability is only theoretical in nature, requires a very special situation, has almost no install base or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update. |
| Low | Open vulnerability that is a problem but does very little damage or is otherwise hard to exploit due to small user base or other factors such as requiring specific environment, uncommon configuration, user assistance, etc. These tend to be included in security updates only when higher priority issues require an update or if many low priority issues have built up. |
| Medium | Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges. |
| High | Open vulnerability that is a real problem and is exploitable for many users in the default configuration of the affected software. Examples include serious remote denial of service of the system, local root privilege escalations or local data theft. |
| Critical | Open vulnerability that is a world-burning problem and is exploitable for most Ubuntu users. Examples include remote root privilege escalations or remote data theft. |
| 2022- |
| 0318 |
| inoue. |
| reo@fujitsu.com | Medium | No | Approved | |
| CVE- |
| 2022- |
| 3649 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com |
CVE-2016-1585
CVE-2017-18201
CVE-2017-7827
CVE-2018-5090
Reported fixed in 58 and later version (installed), but still reported by Vuls
CVE-2018-5126
Reported fixed in 58 and later version (installed), but still reported by Vuls
CVE-2018-5145
Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls
CVE-2018-5151
Reported fixed in 60 and later version (installed), but still reported by Vuls
CVE-2019-17041
CVE-2019-17042
CVE-2021-31870
CVE-2021-31872
CVE-2021-31873
CVE-2021-39713
CVE-2022-23852
CVE-2022-23990
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2016-9180
CVE-2019-20433
CVE-2005-2541
CVE-2014-2830
CVE-2016-1585
CVE-2017-17479
CVE-2017-9117
CVE-2018-13410
CVE-2019-1010022
CVE-2019-8341
CVE-2020-27619
CVE-2021-29462
CVE-2021-29921
CVE-2021-30473
CVE-2021-30474
CVE-2021-30475
CVE-2021-30498
CVE-2021-30499
CVE-2021-42377
CVE-2021-45951
CVE-2021-45952
CVE-2021-45953
CVE-2021-45954
CVE-2021-45955
CVE-2021-45956
CVE-2022-23303
CVE-2022-23304
CVE-2021-4048
CVE-2021-43400
CVE-2021-35942
Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this. lsb_release -a; dpkg -l libc6 output:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-=================================
ii libc6:amd64 2.31-0ubuntu9.7 amd64 GNU C Library: Shared librariesKHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.
Calico pod is running in privileged Mode.
Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.
Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”
It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.
In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.
So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.
IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,
KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.
Calico pod is running in privileged Mode.
Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.
Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”
It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.
In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.
So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.
IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,
CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/
For this BP, execption is approved in last release. plz refer last release exeception list
Release 5 Blueprint Scanning Status
lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
dpkg -l libspice-server1:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server side of the SPICE protocol
lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
sudo dpkg -l | grep xen
ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen
lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
sudo dpkg -l libopenmpt-modplug1
Desired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library
| /security/CVE-2022-3649 | inoue.reo@fujitsu.com | Medium | No | Approved | |||||
| CVE-2022-3890 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/CVE-2022-3890 | inoue.reo@fujitsu.com | Medium | No | Approved | ||
| CVE- |
| 2022- |
| 4135 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/ |
| CVE- |
| 2022- |
| 4135 |
lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
dpkg -l | grep magick
ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16
magick -version:
Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.orgCopyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)
| inoue.reo@fujitsu.com | Medium | No | Approved | ||||||
| CVE-2016-9180 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/CVE-2016-9180 | inoue.reo@fujitsu.com | Low | No | Approved | ||
| CVE-2019-20433 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/CVE-2019-20433 | inoue.reo@fujitsu.com | Low | No | Approved | ||
| CVE-2022-24303 | Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/CVE-2022-24303 | inoue.reo@fujitsu.com | Low | No | Approved | ||
| CVE- |
| 2016- |
| 1585 | Robot basic architecture based on SSES | Ubuntu 22.04 | https://ubuntu.com/security/ |
| CVE- |
| 2016- |
Issue: KHV043 - Cluster Health Disclosure
Issue description:
The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation:
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:
With current analysis, the above solution to fix this issue is causing impact on basic commands.
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.
if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.
Currently this issue can not be fixed with the provided solution.
We request an exception for this issue for release 6.
Approved
Note: Approved for incubation only| 1585 |
lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
dpkg -l | grep magick
ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16
magick -version:
Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)
Issue: KHV043 - Cluster Health Disclosure
Issue description:
The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation:
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:
With current analysis, the above solution to fix this issue is causing impact on basic commands.
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.
if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.
Currently this issue can not be fixed with the provided solution.
We request an exception for this issue for release 6.
Approved
Note: Approved for incubation only