Release request about fuse-overlayfs-snapshotter HOT 6 CLOSED

cve

What CVE?
Likely to be a false alarm for fuse-overlayfs-snapshotter.

from fuse-overlayfs-snapshotter.

Hi @AkihiroSuda, there are a few HIGH cves in fuse-overlayfs-snapshotter binary, and you can get the result by [trivy]
(https://github.com/aquasecurity/trivy).
The kind base image contains this binary. I scanned the kind image and found these cves.

I also found the "golang.org/x/net" in go.mod had been updated, so can you please publish a new release against the main branch? Thanks!

from fuse-overlayfs-snapshotter.

Thanks for sharing the scanning result.

I'd argue that all of them are false alarms for containerd-fuse-overlayfs-grpc.
But I'm happy to make a new release soon to silence these false alarms.

github.com/containerd/containerd

CVE-2022-23471

A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. [...]

https://nvd.nist.gov/vuln/detail/CVE-2022-23471

Patch: containerd/containerd@a05d175

• pkg/cri/streaming/remotecommand/httpstream.go
• (releases/v1.6.12.toml)
• (version/version.go)

The modified files are not used by containerd-fuse-overlayfs-grpc.
You can confirm this by running go mod vendor and inspecting files under vendor/github.com/containerd/containerd.

CVE-2023-25153

Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. [...]

https://nvd.nist.gov/vuln/detail/CVE-2023-25153

Patch: containerd/containerd@0c31490

• images/archive/importer.go

The modified files are not used by containerd-fuse-overlayfs-grpc.

CVE-2023-25173

A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. [...]

https://nvd.nist.gov/vuln/detail/CVE-2023-25173

Patch: containerd/containerd@133f6bb

• (integration/addition_gids_test.go)
• (integration/main_test.go)
• oci/spec_opts.go
• (oci/spec_opts_linux_test.go)
• pkg/cri/server/container_create_linux.go

The modified files are not used by containerd-fuse-overlayfs-grpc.

golang.org/x/net

CVE-2022-27664

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. [...]

https://nvd.nist.gov/vuln/detail/cve-2022-27664

containerd-fuse-overlayfs-grpc does not publicly listen on an HTTP/2 socket, so this is not exploitable.
It speaks HTTP/2 on a local Unix socket for gRPC, but it is not accessible from the network.

CVE-2022-41721

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests. [...]

https://nvd.nist.gov/vuln/detail/cve-2022-41721

Not exploitable for the same reason as above.

CVE-2022-41723

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. [...]

https://nvd.nist.gov/vuln/detail/cve-2022-41723

Not exploitable for the same reason as above.

CVE-2022-41717

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. [...]

https://nvd.nist.gov/vuln/detail/cve-2022-41717

Not exploitable for the same reason as above.

GHSA-vvpx-j8f3-3w6h

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. [...]

GHSA-vvpx-j8f3-3w6h

Not exploitable for the same reason as above.

golang.org/x/text

CVE-2022-32149

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. [...]

https://nvd.nist.gov/vuln/detail/cve-2022-32149

Not exploitable for the same reason as above.

from fuse-overlayfs-snapshotter.

https://github.com/containerd/fuse-overlayfs-snapshotter/releases/tag/v1.0.6

from fuse-overlayfs-snapshotter.

@AkihiroSuda Sorry, it seems that I made a mistake. I am confused that where is the binary "containerd-fuse-overlayfs-grpc" from. Is it from this repo? Thanks for your clarification.

from fuse-overlayfs-snapshotter.

I am confused that where is the binary "containerd-fuse-overlayfs-grpc" from. Is it from this repo?

Yes
https://github.com/containerd/fuse-overlayfs-snapshotter/tree/master/cmd/containerd-fuse-overlayfs-grpc

from fuse-overlayfs-snapshotter.