Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/rancher/rancher: GHSA-6m9f-pj6w-w87g #1736

Closed
GoVulnBot opened this issue Apr 24, 2023 · 3 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-6m9f-pj6w-w87g, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/rancher/rancher 2.7.3 >= 2.6.0, < 2.7.3

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/rancher/rancher
    versions:
      - introduced: 2.6.0
        fixed: 2.7.3
    packages:
      - package: github.com/rancher/rancher
summary: Rancher Webhook is misconfigured during upgrade process
description: "### Impact\n\nA failure in the update logic of Rancher's admission Webhook
    may lead to the misconfiguration of the Webhook. This component enforces validation
    rules and security checks before resources are admitted into the Kubernetes cluster.\n\nWhen
    the Webhook is operating in a degraded state, it no longer validates any resources,
    which may result in severe privilege escalations and data corruption.\n\nThe issue
    only affects users that upgrade from `2.6.x` or `2.7.x` to `2.7.2`. Users that
    did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected.\n\nThe
    command below can be executed on the `local` cluster to determine whether the
    cluster is affected by this issue:\n\n```sh\n$ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io\n\nNAME                WEBHOOKS   AGE\nrancher.cattle.io   0
    \        19h\n```\n\nIf the resulting webhook quantity is `0`, the Rancher instance
    is affected.\n\n### Patches\n\nPatched versions include release `2.7.3` and later
    versions.\n\n### Workarounds\n\nIf you are affected and cannot update to a patched
    Rancher version, the recommended workaround is to manually reconfigure the Webhook
    with the script below. Please note that the script must be run from inside the
    `local` cluster or with a kubeconfig pointing to the `local` cluster which has
    admin permissions.\n\n```yaml\n#!/bin/bash\n\nset -euo pipefail\n\nfunction prereqs()
    {\n    if ! [ -x \"$(command -v kubectl)\" ]; then\n      echo \"error: kubectl
    is not installed.\" >&2\n      exit 1\n    fi\n\n    if [[ -z \"$(kubectl config
    view -o jsonpath='{.clusters[].cluster.server}')\" ]]; then\n        echo \"error:
    No kubernetes cluster found on kubeconfig.\" >&2\n        exit 1\n    fi\n}\n\nfunction
    restart_deployment(){\n    kubectl rollout restart deployment rancher-webhook
    -n cattle-system\n    kubectl rollout status deployment rancher-webhook -n cattle-system
    --timeout=30s\n}\n\nfunction workaround() {\n    echo \"Cluster: $(kubectl config
    view -o jsonpath='{.clusters[].cluster.server}')\"\n\n    if ! kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io > /dev/null 2>&1; then\n        echo \"webhook rancher.cattle.io
    not found, restarting deployment:\"\n        restart_deployment\n\n        echo
    \"waiting for webhook configuration\"\n        sleep 15s\n    fi\n\n    local
    -i webhooks\n    webhooks=\"$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io
    rancher.cattle.io --no-headers | awk '{ print $2 }')\"\n\n    if [ \"${webhooks}\"
    == \"0\" ]; then\n        echo \"Webhook misconfiguration status: Cluster is affected
    by CVE-2023-22651\"\n        \n        echo \"Running workaround:\"\n        kubectl
    delete validatingwebhookconfiguration rancher.cattle.io\n        restart_deployment\n\n
    \       ret=$?\n        if [ $ret -eq 0 ]; then\n            echo \"Webhook restored,
    CVE-2023-22651 is fixed\"\n        else\n            echo \"error trying to restart
    deployment. try again in a few seconds.\"\n        fi\n    else\n        echo
    \"Webhook misconfiguration status: not present (skipping)\"\n    fi\n\n    echo
    \"Done\"\n}\n\nfunction main() {\n    prereqs\n    workaround\n}\n\nmain\n```\n\n###
    For more information\nIf you have any questions or comments about this advisory:\n\n-
    Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy)
    for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose)
    repository.\n- Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/)
    and [product support lifecycle](https://www.suse.com/lifecycle/)."
cves:
  - CVE-2023-22651
ghsas:
  - GHSA-6m9f-pj6w-w87g
references:
  - advisory: https://github.com/rancher/rancher/security/advisories/GHSA-6m9f-pj6w-w87g
  - web: https://github.com/rancher/rancher/releases/tag/v2.7.3
  - advisory: https://github.com/advisories/GHSA-6m9f-pj6w-w87g

@zpavlinovic zpavlinovic self-assigned this Apr 24, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Apr 25, 2023
@zpavlinovic
Copy link
Contributor

The fix is for a server code located in a different module and in a package that is not imported by anyone.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants