Security information

Updated the following middleware component versions to resolve vulnerabilities in MKE:

  • [MKE-10828] cri-dockerd 0.3.9

  • [MKE-10715] Azure VNET CNI 1.5.15

  • [FIELD-6602] Node Exporter 1.7.0

  • [MKE-10663] Docker EE CLI 23.0.8

The following table details the specific CVEs addressed, including which images are affected per CVE.

CVE

Status

Image mitigated

Problem details from upstream

CVE-2023-5528

Resolved

  • ucp-dsinfo

  • ucp-compose

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

CVE-2023-3676

Resolved

  • ucp-dsinfo

  • ucp-compose

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

CVE-2023-3955

Resolved

  • ucp-dsinfo

  • ucp-compose

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

CVE-2023-47108

Resolved

  • ucp-dsinfo

  • ucp-compose

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.

CVE-2023-45142

Resolved

  • ucp-dsinfo

  • ucp-compose

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent. In order to be affected, a program has to use the otelhttp.NewHandler wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

CVE-2023-44487

Resolved

  • ucp-dsinfo

  • ucp-compose

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-6779

Resolved

  • ucp-multus-cni

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

CVE-2023-6246

Resolved

  • ucp-multus-cni

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

CVE-2023-6780

Resolved

  • ucp-multus-cni

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.