9/28/2020 Meeting

Akraino Security Sub-Committee Meeting Agenda 9/28/2020

Attendees:

  • Randy Stricklin
  • Wenhui Zhang
  • Tina Tsou
  • Daniil Egranov
  • Mark Meunier
  •  Hai

Agenda:

  • Shard Mishra from Intel is looking for someone there that can help us with their version of Platform Security Architecture (PSA).
  • Open Network & Edge Summit (ONES): Virtual 9/28-9/30
  • Questions from Yin Ding
  • We are following this page:  https://wiki.akraino.org/display/AK/Bluval+User+Guide
  • Vuls: All these issues are from upstream OS. Will you give exceptions to them?

All the packages have been updated or upgraded to latest version in the repo. There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, i.e.

  • Need to state on the security wiki concerning host security. (HW/OS/blueprints)
  1. blueprint owner develops on their own/controlled system, OS can be modified (full stack)
  2. blueprint owner only controls above OS level (test environment)

http://nvd.nist.gov/vuln/detail/CVE-2019-19814
   Redhat: https://access.redhat.com/security/cve/cve-2019-19814
   Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19814.html
   SuSE: https://www.suse.com/security/cve/CVE-2019-19814/

http://nvd.nist.gov/vuln/detail/CVE-2018-20839   
   Redhat: https://access.redhat.com/security/cve/cve-2018-20839
   Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20839.html
   SuSE: https://www.suse.com/security/cve/CVE-2018-20839/

http://nvd.nist.gov/vuln/detail/CVE-2017-8283 
   Redhat: Unknown
   Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-8283.htm
   SuSE: Unknown

http://nvd.nist.gov/vuln/detail/CVE-2016-1585 
   Redhat: Unknown
   Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1585.html
   SuSE: https://www.suse.com/security/cve/CVE-2016-1585/

  • Conformance:
    • Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?
      • Is Sonobuoy still being updated? Why does it not support KubeEdge, it there plans for support?
      • Check with BlueVal concerning where Sonobuoy logs/reports are sent.


Hai joined:

  • Stated that they have installed the latest versions of Ubuntu and CentOS in their labs the CVE’s listed above are still there. These vulnerabilities have not been fixed by these OS vendors yet.


Next week:

Marc was hoping that the questions around PKCS11 were going to be discussed...

Srini raised it before.