In correlation with the end of life (EOL) for MKE 3.7.x, maintenance of this documentation set was discontinued as of 2025-AUG-29. Click here for the latest MKE 3.x version documentation.

Security information

The MKE 3.7.13 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • [MKE-11602] [MKE-11595] Debian stable-20240722-slim

  • Golang 1.22.5

  • Alpine Linux 3.19

  • Calico 3.28.1

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2024-28835

Resolved

  • ucp-multus-cni

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the “certtool –verify-chain” command.

CVE-2023-50387

Resolved

  • ucp-multus-cni

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

Resolved

  • ucp-multus-cni

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the “NSEC3” issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2024-38095

Resolved

  • ucp-agent-win

  • ucp-kube-binaries-win

  • ucp-containerd-shim-process-win

  • ucp-hardware-info-win

  • ucp-pause-win

.NET and Visual Studio Denial of Service Vulnerability.

CVE-2024-4741

Resolved

  • ucp-agent and all other Linux images

CVE has been reserved by an organization or individual and is not currently available in the NVD.

CVE-2024-5535

Resolved

  • ucp-agent and all other Linux images

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-2961

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

CVE-2024-33599

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon’s (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.