[Security Advisory] 6 security issues were discovered in KubeEdge
Linguohui (lin)
Hello KubeEdge Community,
6 security issues were discovered in KubeEdge:
·
CVE-2022-31080
This issue has been rated
Moderate, Score: 4.4
Websocket Client in package Viaduct: DoS from
large response message
·
CVE-2022-31079
This issue has been rated
Moderate, Score: 4.4
Cloud Stream and Edge Stream: DoS from large
stream message
·
CVE-2022-31078
This issue has been rated
Moderate, Score: 4.4
CloudCore Router: Large HTTP response can exhaust
memory in REST handler
·
CVE-2022-31075
This issue has been rated
Moderate, Score: 4.9
DoS when signing the CSR from EdgeCore
·
CVE-2022-31074
This issue has been rated
Moderate, Score: 4.5
Cloud AdmissionController component: DoS by exhausting
memory of node with http request containing large body
·
CVE-2022-31073
This issue has been rated
Moderate, Score: 6.5
Edge ServiceBus module: DoS by exhausting memory
of node with http request containing large body
Am I vulnerable?
· Issue CVE-2022-31080: It will be affected If users which are authenticated to the edge side and connect from the edge side to cloudhub through WebSocket protocol.
· Issue CVE-2022-31079: It will be affected only when users enable cloudStream module in the config file cloudcore.yaml and enable edgeStream module in the config file edgecore.yaml.
· Issue CVE-2022-31078: It will be affected only when users enable router module in the config file cloudcore.yaml.
· Issue CVE-2022-31075: It will be affected only when users enable the CloudHub module in the file cloudcore.yaml.
· Issue CVE-2022-31074: It will be affected when users deploy a Cloud Admissioncontroller.
· Issue CVE-2022-31073: It will be affected only when users enable the ServiceBus module in the config file edgecore.yaml.
Affected Versions
<=1.11.0, 1.10.1, 1.9.3
How do I mitigate this vulnerability?
This bug has been fixed in Kubeedge 1.11.1, 1.10.2, 1.9.4. Users should update to these versions to resolve the issue.
Fixed Versions
1.11.1, 1.10.2, 1.9.4
Detection
See the GitHub advisory for more details: https://github.com/kubeedge/kubeedge/security/advisories
Additional Details
The security audit report of KubeEdge performed by Ada Logics: community/KubeEdge-security-audit-2022.pdf at master · kubeedge/community · GitHub
KubeEdge Threat Model And Security Protection Analysis performed by KubeEdge Sig Security: community/KubeEdge-threat-model-and-security-protection-analysis.md at master · kubeedge/community · GitHub
Acknowledgments
These vulnerabilities were reported by David Korczynski and Adam Korczynski of ADA Logics during a security audit sponsored by CNCF and facilitated by OSTIF.
The issues were fixed and coordinated by KubeEdge Sig-Security and Security Team.
Thank You,
Vincent on behalf of the KubeEdge Security Team
林国辉 Vincent
华为云计算 HUAWEI CLOUD
Mobile: +86-18667150897
中国(China)-杭州(Hangzhou)-华为研究所Z5
HUAWEI Industrial Base, Hangzhou, P.R.China
E-mail: linguohui1@huawei.com
本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形
式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话
或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for
the person or entity whose address is listed above. Any use of the information contained herein in any way
(including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other
than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it