Versions Compared

Old Version 12

changes.mady.by.user Ysemi

Saved on

compared with

New Version Current

changes.mady.by.user Daniil Egranov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1.6.1+dfsg.3-2ubuntu1

...

CVE/KHV #BlueprintBlueprint OS/VerURL Showing OS Patch Not AvailableContact NameContact EmailCommentVendor CVSS ScoreVendor Patch AvailableException Status
CVE-2016-1585Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2016-1585Colin Peterscolin.peters@fujitsu.com
MediumNoApproved
CVE-2021-20236Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-20236

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-31870Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31870

Colin Peters

colin.peters@fujitsu.com
LowNoApproved
CVE-2021-31872Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31872

Colin Peters

colin.peters@fujitsu.com
LowNoApproved
CVE-2021-31873Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31873

Colin Peters

colin.peters@fujitsu.com
LowNoApproved
CVE-2021-33574Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574

Colin Peters

colin.peters@fujitsu.com
LowNoApproved
CVE-2021-45951Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45951

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45952Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45952

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45953Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45953

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45954Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45954

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45955Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45955

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45956Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45956

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45957Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45957

Colin Peters

colin.peters@fujitsu.com
MediumNoApproved
CVE-2022-23218Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2022-23218

Colin Peters

colin.peters@fujitsu.com
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved
CVE-2022-23219Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2022-23219

Colin Peters

colin.peters@fujitsu.com
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved
CVE-2016-9180Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2016-9180

Colin Peters

colin.peters@fujitsu.com
LowNoApproved
CVE-2021-35942Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-35942

Colin Peters

colin.peters@fujitsu.com

LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved

CVE-2016-1585

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2016-1585

inoue

inoue.reo@fujitsu.com



MediumNoApproved

CVE-2017-18201

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2017-18201

inoue

inoue.reo@fujitsu.com



LowNoApproved

CVE-2017-7827

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2017-7827

inoue

inoue.reo@fujitsu.com


MediumNoApproved

CVE-2018-5090

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5090

inoue

inoue.reo@fujitsu.com
Medium

Reported fixed in 58 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5126

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5126

inoue

inoue.reo@fujitsu.com
Medium

Reported fixed in 58 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5145

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5145

inoue

inoue.reo@fujitsu.com
Medium

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5151

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5151

inoue

inoue.reo@fujitsu.com
Medium

Reported fixed in 60 and later version (installed), but still reported by Vuls

Approved

CVE-2019-17041

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-17041

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2019-17042

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-17042

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31870

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31870

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31872

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31872

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31873

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31873

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-39713

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-39713

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2022-23852

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-23852

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-23990

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-23990

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-25235

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25235

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-25236

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25236

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-25315

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25315

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2016-9180

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2016-9180

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2019-20433

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-20433

inoue

inoue.reo@fujitsu.com
LowNoApproved

CVE-2005-2541

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2005-2541

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2014-2830

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2014-2830

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2016-1585

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2016-1585

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2017-17479

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-17479

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2017-9117

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-9117

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2018-13410

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2018-13410

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2019-1010022

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-1010022

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2019-8341

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-8341

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2020-27619

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2020-27619

inoue

inoue.reo@fujitsu.com
High
Approved

CVE-2021-29462

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29462

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-29921

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29921

inoue

inoue.reo@fujitsu.com
HighReported fixed in python3.9 (installed), but still reported by VulsApproved

CVE-2021-30473

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30473

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30474

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30474

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30475

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30475

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30498

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30498

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30499

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30499

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-42377

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-42377

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-45951

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45951

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45952

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45952

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45953

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45953

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45954

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45954

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45955

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45955

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45956

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45956

inoue

inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-23303

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23303

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-23304

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23304

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-4048

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-4048

inoue

inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-43400

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-43400

inoue

inoue.reo@fujitsu.com
MediumNoApproved
CVE-2021-33574ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574Kuralamudhan Ramakrishnan (Deactivated)kuralamudhan.ramakrishnan@intel.com
LowNoApproved
CVE-2019-19814ICNUbuntu 20.04https://ubuntu.com/security/CVE-2019-19814

Kuralamudhan Ramakrishnan (Deactivated)

kuralamudhan.ramakrishnan@intel.com
LowNoApproved

CVE-2021-35942

ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-35942

Kuralamudhan Ramakrishnan (Deactivated)

kuralamudhan.ramakrishnan@intel.com

Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this.  lsb_release -a; dpkg -l libc6 output:

Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version         Architecture Description
+++-==============-===============-============-=================================
ii  libc6:amd64    2.31-0ubuntu9.7 amd64        GNU C Library: Shared libraries
LowYesApproved
KHV044ELIOT - IOTGateway


khemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 


Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,



Approved
KHV044EALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 


Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,



Approved
CAP_NET_RAWEALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/


For this BP, execption is approved in last release. plz refer last release exeception list

Release 5 Blueprint Scanning Status



Approved
CVE-2017-12194IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2017-12194Ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l libspice-server1:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server server side of the SPICE protocol

MediumNoApproved 
CVE-2018-12892IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2018-12892

Ysemi

rd-sw@ysemi.cnMedium

lsb_release -a :

No

ApprovedCVE-2019-17113IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family

LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS

https

Release:

//ubuntu.com/security/cve-2019-17113		Ysemird-sw@ysemi.cnMediumNoApprovedCVE-2019-19948IEC Type 3:

18.04
Codename: bionic

sudo dpkg -l | grep xen

ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen


MediumNoApproved
CVE-2019-17113IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-1994817113Ysemird-sw@ysemi.cnLow

lsb_release -a :

No

CVE-2019-19949IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu

LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04

https://ubuntu.com/security/cve-2019-19949Ysemird-sw@ysemi.cnLowNo

Codename: bionic

sudo dpkg -l libopenmpt-modplug1

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library


MediumNoApproved
CVE-2019-19948IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19948

Ysemi

rd-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

LowNoApproved
CVE-2019-19949IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19949Ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)


LowNoApproved
KHV043EALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.



Approved

Note: Approved for incubation only

KHV043ELIOT - IOT Gateway


khemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.



Approved

Note: Approved for incubation only