Security information

The MKE 3.7.13 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • [MKE-11602] [MKE-11595] Debian stable-20240722-slim

  • Golang 1.22.5

  • Alpine Linux 3.19

  • Calico 3.28.1

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2024-28835

Resolved

  • ucp-multus-cni

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the “certtool –verify-chain” command.

CVE-2023-50387

Resolved

  • ucp-multus-cni

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

Resolved

  • ucp-multus-cni

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the “NSEC3” issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2024-38095

Resolved

  • ucp-agent-win

  • ucp-kube-binaries-win

  • ucp-containerd-shim-process-win

  • ucp-hardware-info-win

  • ucp-pause-win

.NET and Visual Studio Denial of Service Vulnerability.

CVE-2024-4741

Resolved

  • ucp-agent and all other Linux images

CVE has been reserved by an organization or individual and is not currently available in the NVD.

CVE-2024-5535

Resolved

  • ucp-agent and all other Linux images

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-2961

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

CVE-2024-33599

Resolved

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon’s (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.