Are the CVE fixes in v2.0.0-rc.3 applicable to flux v0.38.3

[adamshawvipps]

Hi there.

We are on flux v0.38.3 and I am wondering if we need to upgrade to v2.0.0-rc.3 to address these CVE's or were they introduced later than v0.38.3?

Thanks for your advice

[stefanprodan]

Those CVEs are not of Flux they come from Docker which we depend on. You should be updating Flux every time we do a release, if you want less CVEs.

If you're using Flux v0.38.3 than the Flux images on your cluster are affected by tones of CVEs.

Here is source-controller from Flux v0.38.3

$ trivy image ghcr.io/fluxcd/source-controller:v0.33.0

ghcr.io/fluxcd/source-controller:v0.33.0 (alpine 3.16.3)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 8, CRITICAL: 0)

┌──────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450 │ HIGH     │ 1.1.1s-r0         │ 1.1.1t-r0     │ double free after calling PEM_read_bio_ex                  │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │                   │               │ use-after-free following BIO_new_NDEF                      │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286 │          │                   │               │ X.400 address type confusion in X.509 GeneralName          │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464 │          │                   │ 1.1.1t-r1     │ Denial of service by excessive resource usage in verifying │
│              │               │          │                   │               │ X509 policy constraints...                                 │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│              ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304 │ MEDIUM   │                   │ 1.1.1t-r0     │ timing attack in RSA Decryption implementation             │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465 │          │                   │ 1.1.1t-r2     │ Invalid certificate policies in leaf certificates are      │
│              │               │          │                   │               │ silently ignored                                           │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
├──────────────┼───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450 │ HIGH     │                   │ 1.1.1t-r0     │ double free after calling PEM_read_bio_ex                  │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │                   │               │ use-after-free following BIO_new_NDEF                      │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286 │          │                   │               │ X.400 address type confusion in X.509 GeneralName          │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464 │          │                   │ 1.1.1t-r1     │ Denial of service by excessive resource usage in verifying │
│              │               │          │                   │               │ X509 policy constraints...                                 │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│              ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304 │ MEDIUM   │                   │ 1.1.1t-r0     │ timing attack in RSA Decryption implementation             │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├───────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465 │          │                   │ 1.1.1t-r2     │ Invalid certificate policies in leaf certificates are      │
│              │               │          │                   │               │ silently ignored                                           │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
└──────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

usr/local/bin/source-controller (gobinary)

Total: 9 (UNKNOWN: 1, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────────────────────┬──────────────────┬───────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │   Installed Version    │  Fixed Version   │                           Title                           │
├──────────────────────────────────┼─────────────────────┼──────────┼────────────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2022-23471      │ MEDIUM   │ v1.6.10                │ 1.5.16, 1.6.12   │ containerd is an open source container runtime. A bug was │
│                                  │                     │          │                        │                  │ found in...                                               │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2022-23471                │
│                                  ├─────────────────────┤          │                        ├──────────────────┼───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25153      │          │                        │ 1.6.18           │ containerd: OCI image importer memory exhaustion          │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-25153                │
│                                  ├─────────────────────┤          │                        │                  ├───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-25173      │          │                        │                  │ Supplementary groups are not set up properly              │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-25173                │
├──────────────────────────────────┼─────────────────────┼──────────┼────────────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/docker/docker         │ CVE-2023-28840      │ HIGH     │ v20.10.21+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network may be unauthenticated          │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-28840                │
│                                  ├─────────────────────┼──────────┤                        │                  ├───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-28841      │ MEDIUM   │                        │                  │ Encrypted overlay network traffic may be unencrypted      │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-28841                │
│                                  ├─────────────────────┤          │                        │                  ├───────────────────────────────────────────────────────────┤
│                                  │ CVE-2023-28842      │          │                        │                  │ Encrypted overlay network with a single endpoint is       │
│                                  │                     │          │                        │                  │ unauthenticated                                           │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-28842                │
├──────────────────────────────────┼─────────────────────┼──────────┼────────────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ golang.org/x/net                 │ CVE-2022-41723      │ HIGH     │ v0.4.0                 │ 0.7.0            │ avoid quadratic complexity in HPACK decoding              │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2022-41723                │
│                                  ├─────────────────────┼──────────┤                        │                  ├───────────────────────────────────────────────────────────┤
│                                  │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN  │                        │                  │ Uncontrolled Resource Consumption                         │
│                                  │                     │          │                        │                  │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h         │
├──────────────────────────────────┼─────────────────────┼──────────┼────────────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3                  │ CVE-2023-25165      │ MEDIUM   │ v3.10.3                │ 3.11.1           │ getHostByName Function Information Disclosure             │
│                                  │                     │          │                        │                  │ https://avd.aquasec.com/nvd/cve-2023-25165                │
└──────────────────────────────────┴─────────────────────┴──────────┴────────────────────────┴──────────────────┴───────────────────────────────────────────────────────────┘

[hiddeco]

Another thing to note is that for CVEs that really touch the security surface of Flux, we will publish our own security advisories.

[adamshawvipps]

Thanks very much for your quick response and the good talk at Kubecon Amsterdam

[stefanprodan]

@adamshawvipps just to clarify the 2 CVEs, I've updated the changelog to

All components have been updated to patch GHSA-hqxw-f8mx-cpmw and GHSA-2q89-485c-9j2x (note that Flux is not affected, these CVEs are for packages used in tests).

https://github.com/fluxcd/flux2/releases/tag/v2.0.0-rc.3