In correlation with the end of life (EOL) for MKE 3.6.x, maintenance of this documentation set was discontinued as of 2024-OCT-13. Click here for the latest MKE 3.x version documentation.

Security information

The MKE 3.6.18 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • Golang 1.22.5

  • Alpine Linux 3.19

  • Calico 3.27.4

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2024-4741

Resolved

  • ucp-agent and all other Linux images

.NET and Visual Studio Denial of Service Vulnerability.

CVE-2024-5535

Resolved

  • ucp-agent and all other Linux images

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-2961

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

CVE-2024-33599

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon’s (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.