Prisma Twistlock Flagging 6 Containerd Vulnerabilities in Flatcar 3510.3.3 LTS
justdan96 opened this issue · comments
Name: containerd
CVEs:
CVE-2022-1996
CVE-2023-27561
CVE-2024-21626
CVE-2023-47108
CVE-2023-44487
CVSSs:
CVE-2022-1996 = 9.1
CVE-2023-27561 = 7.0
CVE-2024-21626 = 8.6
CVE-2023-47108 = 7.5
CVE-2023-44487 = 5.3
Action Needed:
These have been flagged by Prisma Twistlock so will likely need some further analysis. If they are false positives that would be good news for us!
Summary:
We have been using Flatcar LTS Kubernetes nodes in our Lab environments. On these environments we are running the security DaemonSet Palo Alto Prisma Twistlock. From Prisma we can see the vulnerabilities flagged above. Here they are in a table format:
| CVE ID | Severity | Package Version | Package Path | CVSS | Package URL |
|---|---|---|---|---|---|
| CVE-2022-1996 | critical | v2.9.5 | /run/torcx/unpack/docker/bin/containerd | 9.1 | pkg:golang/github.com/emicklei/go-restful@v2.9.5 |
| CVE-2023-27561 | high | v1.1.2 | /run/torcx/unpack/docker/bin/containerd | 7.0 | pkg:golang/github.com/opencontainers/runc@v1.1.2 |
| CVE-2024-21626 | high | v1.1.2 | /run/torcx/unpack/docker/bin/containerd | 8.6 | pkg:golang/github.com/opencontainers/runc@v1.1.2 |
| CVE-2023-47108 | high | v0.28.0 | /run/torcx/unpack/docker/bin/containerd | 7.5 | pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.28.0 |
| CVE-2023-44487 | high | v0.0.0-20220722155237-a158d28d115b | /run/torcx/unpack/docker/bin/containerd | 5.3 | pkg:golang/golang.org/x/net@v0.0.0-20220722155237-a158d28d115b |
| CVE-2023-44487 | high | v1.47.0 | /run/torcx/unpack/docker/bin/containerd | 5.3 | pkg:golang/google.golang.org/grpc@v1.47.0 |
As you can see it delves into Golang dependencies so if these vulnerabilities have been incorrectly flagged then I can just take that information back to our internal security team.
refmap.gentoo: TBD
Just mentioning what we said in the chat:
so I checked and it looks like, due to the critical aspect, that LTS 3510.3.2 has the runc update: https://www.flatcar.org/releases#release-3510.3.2
FWIW, you can update docker / containerd / runc using sysext image. I would be curious to see if your vulnerability scan show the same result after :--- variant: flatcar version: 1.1.0 storage: files: - path: /etc/extensions/docker.raw contents: source: https://github.com/flatcar/sysext-bakery/releases/download/latest/docker-24.0.9-x86-64.raw - path: /etc/systemd/system-generators/torcx-generator
Some of this was discussed on Matrix but it was flagged that for CVE-2022-1996, as described in containerd/containerd#7117, the vulnerability only affects CORS which containerd does not use. The runc vulnerabilities CVE-2023-27561 and CVE-2024-21626 seem to affect runc itself and I haven't been able to find if it can affect specifically containerd. CVE-2023-47108 is for DoS with the opentelemetry-go library, and CVE-2023-44487 is a DoS when using HTTP/2. These last two we do not expect to cause any issues as containerd is not exposed for remote access and the attacks would require the attacker to already have access to the local machine.
Overall I think these are fine and we should be able to get exceptions for these detected vulnerabilities.