Security information

The MKE 3.7.3 patch release focuses exclusively on CVE mitigation. To this end, the following middleware component versions have been upgraded to resolve vulnerabilities in MKE:

  • [MKE-10346] Interlock 3.3.12

  • [MKE-10682] Calico 3.26.4/Calico for Windows 3.26.4

  • [SECMKE-113] cri-dockerd 0.3.7

  • [FIELD-6558] NGINX Ingress Controller 1.9.4

  • [MKE-10340] CoreDNS 1.11.1

  • [MKE-10309] Prometheus 2.48.0

  • [SECMKE-122] NVIDIA GPU Feature Discovery 0.8.2

  • [MKE-10586] Gatekeeper 3.13.4

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2022-4886

Resolved

  • ucp-kube-ingress-controller

Ingress-nginx path sanitization can be bypassed with log_format directive.

Mitigation in MKE ingress controller was achieved by setting strict-validate-path-type and enable-annotation-validation. In addition, you can use OPA Gatekeeper in MKE 3.7.x to enforce stricter validation.

CVE-2023-3676

Partially resolved

  • ucp-nvidia-device-plugin

  • ucp-nvidia-gpu-feature-discovery

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

CVE-2023-3955

Partially resolved

  • ucp-nvidia-device-plugin

  • ucp-nvidia-gpu-feature-discovery

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

CVE-2023-5043

Resolved

  • ucp-kube-ingress-controller

Ingress nginx annotation injection causes arbitrary command execution.

Mitigation in MKE ingress controller was achieved by setting strict-validate-path-type and enable-annotation-validation. In addition, you can use OPA Gatekeeper in MKE 3.7.x to enforce stricter validation.

CVE-2023-5044

Resolved

  • ucp-kube-ingress-controller

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.

Mitigation in MKE ingress controller was achieved by setting strict-validate-path-type and enable-annotation-validation. In addition, you can use OPA Gatekeeper in MKE 3.7.x to enforce stricter validation.

CVE-2023-5528

Resolved

  • ucp-nvidia-gpu-feature-discovery

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

CVE-2023-39325

Partially resolved

  • ucp-alertmanager

  • ucp-azure-ip-allocator

  • ucp-blackbox-exporter

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

  • ucp-coredns

  • ucp-gatekeeper

  • ucp-hyperkube

  • ucp-interlock

  • ucp-interlock-extension

  • ucp-kube-ingress-controller

  • ucp-kube-state-metrics

  • ucp-metallb-controller

  • ucp-metallb-speaker

  • ucp-metrics

  • ucp-metrics-swarm-only

  • ucp-node-exporter

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

CVE-2023-44487

Partially resolved

  • ucp

  • ucp-agent

  • ucp-alertmanager

  • ucp-azure-ip-allocator

  • ucp-blackbox-exporter

  • ucp-calico-cni

  • ucp-calico-kube-controllers

  • ucp-calico-node

  • ucp-containerd-shim-process

  • ucp-controller

  • ucp-coredns

  • ucp-gatekeeper

  • ucp-hyperkube

  • ucp-interlock

  • ucp-interlock-extension

  • ucp-kube-ingress-controller

  • ucp-kube-state-metrics

  • ucp-metallb-controller

  • ucp-metallb-speaker

  • ucp-metrics

  • ucp-metrics-swarm-only

  • ucp-multus-cni

  • ucp-node-exporter

  • ucp-nvidia-device-plugin

  • ucp-nvidia-gpu-feature-discovery

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-45142

Partially resolved

  • ucp-hyperkube

  • ucp-metrics

  • ucp-metrics-swarm-only

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.