Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade busybox to 3.6.1 #10452

Closed
alopukhov opened this issue Jul 4, 2024 · 5 comments
Closed

Upgrade busybox to 3.6.1 #10452

alopukhov opened this issue Jul 4, 2024 · 5 comments
Assignees

Comments

@alopukhov
Copy link

alopukhov commented Jul 4, 2024

Please consider upgrading busybox to v3.6.1 and/or upgrading buildroot to newer version.

Currently k3s ships busybox based on version 3.5.0 which if affected by
https://nvd.nist.gov/vuln/detail/CVE-2022-30065
https://nvd.nist.gov/vuln/detail/CVE-2022-28391

Current upstream buildroot version (2022.08.1) includes patches for this CVEs. (buildroot 2022.08.1 does not include patches)
Despite that some vulnerability scanners (e.g. Aqua) marks k3s busybox binary as affected by them.
More than that they marks them as High Severity CVEs. That is quite uncomfortable as it requires manual checks for newer k3s versions.

I'm not avare about CVE-2022-28391 (https://bugs.busybox.net/show_bug.cgi?id=15001)
CVE-2022-30065 is fixed in busybox v3.6.1 according to https://busybox.net/

Upsteam buildroot upgraded busybox to version 3.6.1 since https://gitlab.com/buildroot.org/buildroot/-/commit/a7e4f557f5c5874c84d6ae2e28d752603e18ab3f about year ago.

@brandond brandond transferred this issue from k3s-io/k3s-root Jul 4, 2024
@zhangguanzhang
Copy link

go.mod (gomod)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬──────────┬─────────────────────┬─────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │  Status  │  Installed Version  │        Fixed Version        │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼──────────┼─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                                     │ CVE-2024-29018 │ MEDIUM   │ fixed    │ 25.0.4+incompatible │ 26.0.0-rc3, 25.0.5, 23.0.11 │ moby: external DNS requests from 'internal' networks could  │
│                                                              │                │          │          │                     │                             │ lead to data exfiltration...                                │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-29018                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          │          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-retryablehttp                        │ CVE-2024-6104  │          │          │ 0.7.4               │ 0.7.7                       │ go-retryablehttp: url might write sensitive information to  │
│                                                              │                │          │          │                     │                             │ log file                                                    │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-6104                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │          │ 0.45.0              │ 0.46.0                      │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │          │                     │                             │ to unbound cardinality metrics                              │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤          ├─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net                                             │ CVE-2023-45288 │ MEDIUM   │          │ 0.17.0              │ 0.23.0                      │ golang: net/http, x/net/http2: unlimited number of          │
│                                                              │                │          │          │                     │                             │ CONTINUATION frames causes DoS                              │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├──────────────────────────────────────────────────────────────┼────────────────┤          ├──────────┼─────────────────────┼─────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2                                   │ CVE-2024-28180 │          │ affected │ 2.6.0               │                             │ jose-go: improper handling of highly compressed data        │
│                                                              │                │          │          │                     │                             │ https://avd.aquasec.com/nvd/cve-2024-28180                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴──────────┴─────────────────────┴─────────────────────────────┴─────────────────────────────────────────────────────────────┘

@alopukhov
Copy link
Author

Unforunatelly I can't attach Aqua report.
grype report below

> docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock --name Grype anchore/grype:latest -v rancher/k3s:v1.30.2-k3s2-amd64
[0000]  INFO grype version: 0.79.2
[0000]  INFO downloading new vulnerability DB
[0021]  INFO downloaded new vulnerability DB version=5 built="2024-07-05 01:30:56 +0000 UTC"
[0022]  WARN unable to determine linux distribution: unable to determine distro type
[0022]  INFO found 16 vulnerability matches across 437 packages
NAME                                                                         INSTALLED             FIXED-IN  TYPE       VULNERABILITY        SEVERITY
busybox                                                                      1.35.0                          binary     CVE-2022-30065       High
busybox                                                                      1.35.0                          binary     CVE-2022-28391       High
github.com/docker/docker                                                     v25.0.4+incompatible  25.0.5    go-module  GHSA-mq39-4gv4-mvpx  Medium
github.com/hashicorp/go-retryablehttp                                        v0.7.4                0.7.7     go-module  GHSA-v6v8-xj6m-xwqh  Medium
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.45.0               0.46.0    go-module  GHSA-8pgv-569h-w5rw  High
golang.org/x/net                                                             v0.17.0               0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
golang.org/x/net                                                             v0.8.0                0.17.0    go-module  GHSA-4374-p667-p6c8  High
golang.org/x/net                                                             v0.8.0                0.17.0    go-module  GHSA-qppj-fm5r-hxr3  Medium
golang.org/x/net                                                             v0.8.0                0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
golang.org/x/net                                                             v0.8.0                0.13.0    go-module  GHSA-2wrh-6pvc-2jm9  Medium
google.golang.org/protobuf                                                   v1.27.1               1.33.0    go-module  GHSA-8r3f-844c-mc37  Medium
gopkg.in/square/go-jose.v2                                                   v2.6.0                          go-module  GHSA-c5q2-7r4c-mv6g  Medium
stdlib                                                                       go1.22.4                        go-module  CVE-2024-24791       Unknown

@brandond brandond self-assigned this Jul 5, 2024
@brandond brandond moved this from New to Accepted in K3s Development Jul 5, 2024
@brandond brandond added this to the v1.30.3+k3s1 milestone Jul 5, 2024
@brandond
Copy link
Member

brandond commented Jul 8, 2024

Current upstream buildroot version (2022.08.1) includes patches for this CVEs.

I'm curious about this assertion - we have been shipping buildroot 2022.08.1 for 2 years, since k3s-io/k3s-root#54. Did you mean to link a different buildroot version - 2022.08.3 perhaps? I see that https://github.com/buildroot/buildroot/commits/2022.08.3/package/busybox does include fixes for both of the linked vulns.

@alopukhov
Copy link
Author

alopukhov commented Jul 10, 2024

Current upstream buildroot version (2022.08.1) includes patches for this CVEs.

I'm curious about this assertion - we have been shipping buildroot 2022.08.1 for 2 years, since k3s-io/k3s-root#54. Did you mean to link a different buildroot version - 2022.08.3 perhaps? I see that https://github.com/buildroot/buildroot/commits/2022.08.3/package/busybox does include fixes for both of the linked vulns.

My bad. Looked at 2022.08.
You are right 2022.08.1 does not include patches.

@brandond brandond moved this from Peer Review to To Test in K3s Development Jul 10, 2024
@VestigeJ VestigeJ self-assigned this Jul 16, 2024
@VestigeJ
Copy link

#10467 (comment)

@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

No branches or pull requests

4 participants