Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MKE:
[MKE-10268] cri-dockerd 0.3.5
[MKE-10205] NGINX Ingress Controller 1.9.3
Resolved CVEs, as detailed:
CVE
Status
Problem details from upstream
Resolved
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Resolved
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
MKE
MKE provides the
disable_http2toml-config
to disable http2 on the ucp-controller and other components that may be exposed to untrusted clients, regardless of authentication status. Setting this totrue
results in MKE-s HTTP servers excluding http2 from the http versions offered for negotiation and clients being unable to negotiate http2 protocol, even if they explicitly specify it.The setting is disabled by default. It is provided as a defense in-depth mechanism, in the event of an unforeseen scenario requires untrusted clients hit ports used by any of MKE-s http servers. The best defense continues to be disallowing untrusted clients from hitting any of the ports in use by MKE.
Kubernetes
Upstream Kubernetes has introduced the feature gate
UnauthenticatedHTTP2DOSMitigation
to mitigate against http2 rapid reset attacks on the kube-apiserver. The mitigation applies strictly to scenarios where the kube-apiserver communicates with an unauthenticated or anonymous client. It specifically does not apply to authenticated clients of the kube-apiserver.From upstream Kubernetes documentation: “Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation
feature gate can be disabled to remove this protection (which is enabled by default). For example, when the API server is fronted by an L7 load balancer that is set up to mitigate http2 attacks, unauthenticated clients could force disable connection reuse between the load balancer and the API server (many incoming connections could share the same backend connection). An API server that is on a private network may opt to disable this protection to prevent performance regressions for unauthenticated clients.”To enable the configuration, MKE has introduced the
unauthenticated_http2_dos_mitigation
configuration setting. Edit the setting totrue
to enable this feature gate.Resolved
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
Resolved
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates “easy handles” that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
Resolved
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
Resolved
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
Resolved
PowerShell Elevation of Privilege Vulnerability.
Resolved
A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Partially resolved
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
MKE is unaffected by CVE-2023-45142, however some code scanners may still detect the following CVE/Image combinations:
CVE-2023-45142/ucp-hyperkube/kubelet
CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-apiserver
CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-scheduler
CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-proxy
CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-controller-manager
Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.7.2:
CIS Benchmark type/version
Recommendation designation
Ticket
Resolution/Improvement
Kubernetes 1.7
1.1.9
MKE-9909
File permissions for the CNI config file is set to
600
.Kubernetes 1.7
1.1.12
MKE-10150
The
AlwaysPullImages
admission control plugin, disabled by default, can now be enabled. To do so, edit thek8s_always_pull_images_ac_enabled
parameter in thecluster_config
section of the MKE configuration file.Kubernetes 1.7
1.1.15
MKE-9907
File permissions for the kube-scheduler configuration file are restricted to
600
.Kubernetes 1.7
1.2.22
MKE-9902
The kubernetes apiserver
--request-timeout
argument can be set.Kubernetes 1.7
1.2.23
MKE-9992
The kubernetes apiserver service-account-lookup argument is set explicitly to
true
.Kubernetes 1.7
1.2.31, 4.2.12
MKE-9978
The hardening setting
use_strong_tls_ciphers
allows for limiting the list of accepted ciphers forcipher_suites_for_kube_api_server
,cipher_suites_for_kubelet
, andcipher_suites_for_etcd_server
to the ciphers considered to be strong.Kubernetes 1.7
1.3.1
MKE-9990
MKE now supports the
kube_manager_terminated_pod_gc_threshold
configuration parameter. Using this parameter, users can set the threshold for the terminated Pod garbage collector in Kube Controller Manager according to their cluster-specific requirement.Kubernetes 1.7
2.7
MKE-10012
A separate unique certificate authority is now in place for etcd, with MKE components using certificates issued by it to connect to the component. In line with this new CA:
A new internal
12392
TCP port requirement is necessary for manager nodes.Admin client bundles now include
etcd_cert.pem
andetcd_key.pem
to connect directly to etcd. Theca.pem file
includes etcd CA in addition to the Cluster and Client CAs.The MKE CLI ca command now supports the rotation of the etcd root CA.
Note
Users upgrading to MKE 3.7.2 must rotate the etcd CA after doing so, to ensure the uniqueness of the etcd CA. For more information, refer to MKE etcd Root CA.
Kubernetes 1.7
4.1.3
MKE-9911
File permissions for the
kubeconfig
file are set to600
.Kubernetes 1.7
4.1.5
MKE-9910
File permissions for the
kubelet.conf
file are set to600
or fewer.Kubernetes 1.7
4.1.9
MKE-9912
File permissions for the
kubelet_daemon.conf
file are restricted to600
or fewer.Kubernetes 1.7
5.1.1
MKE-10138
To ensure that the
cluster-admin
role is only used when necessary, a specialucp-metrics
cluster role that has only the necessary permissions is now used by Prometheus.Kubernetes 1.7
5.1.2
MKE 10197, MKE-10114
Multus and Calico service accounts no longer use the cluster-admin role, and as such no longer require access to secrets.
Kubernetes 1.7
5.1.3
MKE-10117
Replaced the Multus CNI template wildcards with the exact resources needed for the CNI Roles and ClusterRoles.