Security information

The MKE 3.6.18 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • Golang 1.22.5

  • Alpine Linux 3.19

  • Calico 3.27.4

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2024-4741

Resolved

  • ucp-agent and all other Linux images

.NET and Visual Studio Denial of Service Vulnerability.

CVE-2024-5535

Resolved

  • ucp-agent and all other Linux images

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-2961

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

CVE-2024-33599

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon’s (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.