Security information

  • Updated the following middleware component versions to resolve vulnerabilities in MKE:

    • [MKE-10268] cri-dockerd 0.3.5

    • [MKE-10205] NGINX Ingress Controller 1.9.3

  • Resolved CVEs, as detailed:

    CVE

    Status

    Problem details from upstream

    CVE-2023-39325

    Resolved

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

    CVE-2023-44487

    Resolved

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

    MKE

    MKE provides the disable_http2toml-config to disable http2 on the ucp-controller and other components that may be exposed to untrusted clients, regardless of authentication status. Setting this to true results in MKE-s HTTP servers excluding http2 from the http versions offered for negotiation and clients being unable to negotiate http2 protocol, even if they explicitly specify it.

    The setting is disabled by default. It is provided as a defense in-depth mechanism, in the event of an unforeseen scenario requires untrusted clients hit ports used by any of MKE-s http servers. The best defense continues to be disallowing untrusted clients from hitting any of the ports in use by MKE.

    Kubernetes

    Upstream Kubernetes has introduced the feature gate UnauthenticatedHTTP2DOSMitigation to mitigate against http2 rapid reset attacks on the kube-apiserver. The mitigation applies strictly to scenarios where the kube-apiserver communicates with an unauthenticated or anonymous client. It specifically does not apply to authenticated clients of the kube-apiserver.

    From upstream Kubernetes documentation: “Since this change has the potential to cause issues, the UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to remove this protection (which is enabled by default). For example, when the API server is fronted by an L7 load balancer that is set up to mitigate http2 attacks, unauthenticated clients could force disable connection reuse between the load balancer and the API server (many incoming connections could share the same backend connection). An API server that is on a private network may opt to disable this protection to prevent performance regressions for unauthenticated clients.”

    To enable the configuration, MKE has introduced the unauthenticated_http2_dos_mitigation configuration setting. Edit the setting to true to enable this feature gate.

    CVE-2023-38545

    Resolved

    This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

    CVE-2023-38546

    Resolved

    This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates “easy handles” that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

    CVE-2023-38039

    Resolved

    When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

    CVE-2023-4911

    Resolved

    When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

    CVE-2022-26788

    Resolved

    PowerShell Elevation of Privilege Vulnerability.

    CVE-2023-4911

    Resolved

    A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

    CVE-2023-45142

    Partially resolved

    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

    MKE is unaffected by CVE-2023-45142, however some code scanners may still detect the following CVE/Image combinations:

    • CVE-2023-45142/ucp-hyperkube/kubelet

    • CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-apiserver

    • CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-scheduler

    • CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-proxy

    • CVE-2023-45142/ucp-hyperkube//usr/local/bin/kube-controller-manager

  • Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.7.2:

    CIS Benchmark type/version

    Recommendation designation

    Ticket

    Resolution/Improvement

    Kubernetes 1.7

    1.1.9

    MKE-9909

    File permissions for the CNI config file is set to 600.

    Kubernetes 1.7

    1.1.12

    MKE-10150

    The AlwaysPullImages admission control plugin, disabled by default, can now be enabled. To do so, edit the k8s_always_pull_images_ac_enabled parameter in the cluster_config section of the MKE configuration file.

    Kubernetes 1.7

    1.1.15

    MKE-9907

    File permissions for the kube-scheduler configuration file are restricted to 600.

    Kubernetes 1.7

    1.2.22

    MKE-9902

    The kubernetes apiserver --request-timeout argument can be set.

    Kubernetes 1.7

    1.2.23

    MKE-9992

    The kubernetes apiserver service-account-lookup argument is set explicitly to true.

    Kubernetes 1.7

    1.2.31, 4.2.12

    MKE-9978

    The hardening setting use_strong_tls_ciphers allows for limiting the list of accepted ciphers for cipher_suites_for_kube_api_server, cipher_suites_for_kubelet, and cipher_suites_for_etcd_server to the ciphers considered to be strong.

    Kubernetes 1.7

    1.3.1

    MKE-9990

    MKE now supports the kube_manager_terminated_pod_gc_threshold configuration parameter. Using this parameter, users can set the threshold for the terminated Pod garbage collector in Kube Controller Manager according to their cluster-specific requirement.

    Kubernetes 1.7

    2.7

    MKE-10012

    A separate unique certificate authority is now in place for etcd, with MKE components using certificates issued by it to connect to the component. In line with this new CA:

    • A new internal 12392 TCP port requirement is necessary for manager nodes.

    • Admin client bundles now include etcd_cert.pem and etcd_key.pem to connect directly to etcd. The ca.pem file includes etcd CA in addition to the Cluster and Client CAs.

    • The MKE CLI ca command now supports the rotation of the etcd root CA.

      Note

      Users upgrading to MKE 3.7.2 must rotate the etcd CA after doing so, to ensure the uniqueness of the etcd CA. For more information, refer to MKE etcd Root CA.

    Kubernetes 1.7

    4.1.3

    MKE-9911

    File permissions for the kubeconfig file are set to 600.

    Kubernetes 1.7

    4.1.5

    MKE-9910

    File permissions for the kubelet.conf file are set to 600 or fewer.

    Kubernetes 1.7

    4.1.9

    MKE-9912

    File permissions for the kubelet_daemon.conf file are restricted to 600 or fewer.

    Kubernetes 1.7

    5.1.1

    MKE-10138

    To ensure that the cluster-admin role is only used when necessary, a special ucp-metrics cluster role that has only the necessary permissions is now used by Prometheus.

    Kubernetes 1.7

    5.1.2

    MKE 10197, MKE-10114

    Multus and Calico service accounts no longer use the cluster-admin role, and as such no longer require access to secrets.

    Kubernetes 1.7

    5.1.3

    MKE-10117

    Replaced the Multus CNI template wildcards with the exact resources needed for the CNI Roles and ClusterRoles.