OpenSSL CVE-2022-0778

[zer0stars]

OpenSSL Vulnerability:
https://www.openssl.org/news/secadv/20220315.txt

Opening this issue to track openssl upgrade.

[longwuyuan]

/remove-kind bug

Please post a scan report

[luryus]

This can't require a scan report of any kind.

v0.50.0 image ships with openssl 1.1.1l. The linked advisory clearly shows that this is vulnerable, and the fix is in openssl 1.1.1n. As the n version was only released yesterday, this issue also affects ingress-nginx v1.1.2.

New images with updated openssl must be released for both v0.50 and v1.1. This has to be done ASAP.

[longwuyuan]

For someone to take action on this, a scan report showing the vulnerability would become the basis to take an action.
I take it that fix should be done without a scan report now.

Someone else thankfully reported a XML vulnerability and its visible in a scan as seen below. That helps a lot ;

[~]
% docker images | grep -i "ingress-nginx/controller"
k8s.gcr.io/ingress-nginx/controller 7e5c1cecb086 2 weeks ago 286MB

% grype docker images | grep -i "ingress-nginx/controller" | awk '{print $3}'
✔ Vulnerability DB [updated]
New version of grype is available: 0.34.1
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [113 packages]
✔ Scanned image [4 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
google.golang.org/protobuf v1.27.1 CVE-2015-5237 High
google.golang.org/protobuf v1.27.1 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
% grype k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8
✔ Vulnerability DB [no update available]
New version of grype is available: 0.34.1
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [115 packages]
✔ Scanned image [6 vulnerabilities]

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
github.com/opencontainers/runc v1.0.1 1.0.3 GHSA-v95c-p5hm-xq8f Medium
github.com/prometheus/client_golang v1.11.0 CVE-2022-21698 High
google.golang.org/protobuf v1.26.0 CVE-2015-5237 High
google.golang.org/protobuf v1.26.0 CVE-2021-22570 High
libxml2 2.9.12-r1 2.9.13-r0 CVE-2022-23308 High
[~]
%

[longwuyuan]

/priority important-soon

@luryus, you are right and I was wrong in asking for a scan report. Thanks for your clear comments. I think your comments are very helpful and exposes a major change that needed in the project.

I think we are now facing the situation that there is no automated alert on a new vulnerability. So now we need to create automation to periodically check and alert for new vulnerabilities

[longwuyuan]

/kind bug
/triage accepted

[longwuyuan]

/priority backlog

[eXeDK]

Any idea when a new release with this patched will be released?

[strongjz]

patched in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v.1.1.3

/close

[k8s-ci-robot]

@strongjz: Closing this issue.

In response to this:

patched in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v.1.1.3

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hahewlet]

@luryus noted that "v0.50.0 image ships with openssl 1.1.1l."

@strongjz Will a new image be created for 0.50.0 as well?

[hebestreit]

@strongjz When testing the update for v0.51.0 I noticed some issues.

The latest Chart version v3.41.0 hasn't been released because of a failed step in the CI pipeline.

/home/runner/work/_actions/helm/chart-releaser-action/v1.1.0/cr.sh: line 47: CR_TOKEN: Environment variable CR_TOKEN must be set
Error: Process completed with exit code 1.

https://github.com/kubernetes/ingress-nginx/runs/5807081527?check_suite_focus=true#step:4:32

So I tried to set the image tag manually inside my values.yaml to apply the security fix which didn't worked because you need to set the digest instead of a version tag.

I also noticed that the digest inside the values.yaml hasn't been updated in your PR #8422 and still refers to an older image which will overwrite the definition inside the Chart.yaml or under image.tag.

https://github.com/kubernetes/ingress-nginx/blob/legacy/charts/ingress-nginx/values.yaml#L18-L19

If someone needs to apply the security fix immediately you can use this inside your values.yaml:

controller:
  image:
    digest: "sha256:df2f0bcddb9295986f019231956fb0e78788032420b15ef99d48fcf9305e8a04"

docker run --entrypoint /bin/bash k8s.gcr.io/ingress-nginx/controller@sha256:df2f0bcddb9295986f019231956fb0e78788032420b15ef99d48fcf9305e8a04 -c "apk list | grep -E \"openssl|libxml\""
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/community: No such file or directory
libssl1.1-1.1.1n-r0 x86_64 {openssl} (OpenSSL) [installed]
libxml2-2.9.13-r0 x86_64 {libxml2} (MIT) [installed]
openssl-1.1.1n-r0 x86_64 {openssl} (OpenSSL) [installed]
libcrypto1.1-1.1.1n-r0 x86_64 {openssl} (OpenSSL) [installed]```

[longwuyuan]

/reopen

[k8s-ci-robot]

@longwuyuan: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[strongjz]

Thanks for the heads @hebestreit

Should be resolved in #8441

[hebestreit]

@strongjz thanks for the fast reaction. The fix works. 👍

[longwuyuan]

/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.