Comments (6)
cve
What CVE?
Likely to be a false alarm for fuse-overlayfs-snapshotter.
from fuse-overlayfs-snapshotter.
Hi @AkihiroSuda, there are a few HIGH cves in fuse-overlayfs-snapshotter binary, and you can get the result by [trivy]
(https://github.com/aquasecurity/trivy).
The kind base image contains this binary. I scanned the kind image and found these cves.
I also found the "golang.org/x/net" in go.mod had been updated, so can you please publish a new release against the main branch? Thanks!
from fuse-overlayfs-snapshotter.
Thanks for sharing the scanning result.
I'd argue that all of them are false alarms for containerd-fuse-overlayfs-grpc
.
But I'm happy to make a new release soon to silence these false alarms.
github.com/containerd/containerd
CVE-2022-23471
A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. [...]
https://nvd.nist.gov/vuln/detail/CVE-2022-23471
Patch: containerd/containerd@a05d175
pkg/cri/streaming/remotecommand/httpstream.go
- (
releases/v1.6.12.toml
) - (
version/version.go
)
The modified files are not used by containerd-fuse-overlayfs-grpc
.
You can confirm this by running go mod vendor
and inspecting files under vendor/github.com/containerd/containerd
.
CVE-2023-25153
Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. [...]
https://nvd.nist.gov/vuln/detail/CVE-2023-25153
Patch: containerd/containerd@0c31490
images/archive/importer.go
The modified files are not used by containerd-fuse-overlayfs-grpc
.
CVE-2023-25173
A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. [...]
https://nvd.nist.gov/vuln/detail/CVE-2023-25173
Patch: containerd/containerd@133f6bb
- (
integration/addition_gids_test.go
) - (
integration/main_test.go
) oci/spec_opts.go
- (
oci/spec_opts_linux_test.go
) pkg/cri/server/container_create_linux.go
The modified files are not used by containerd-fuse-overlayfs-grpc
.
golang.org/x/net
CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. [...]
https://nvd.nist.gov/vuln/detail/cve-2022-27664
containerd-fuse-overlayfs-grpc
does not publicly listen on an HTTP/2 socket, so this is not exploitable.
It speaks HTTP/2 on a local Unix socket for gRPC, but it is not accessible from the network.
CVE-2022-41721
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests. [...]
https://nvd.nist.gov/vuln/detail/cve-2022-41721
Not exploitable for the same reason as above.
CVE-2022-41723
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. [...]
https://nvd.nist.gov/vuln/detail/cve-2022-41723
Not exploitable for the same reason as above.
CVE-2022-41717
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. [...]
https://nvd.nist.gov/vuln/detail/cve-2022-41717
Not exploitable for the same reason as above.
GHSA-vvpx-j8f3-3w6h
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. [...]
Not exploitable for the same reason as above.
golang.org/x/text
CVE-2022-32149
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. [...]
https://nvd.nist.gov/vuln/detail/cve-2022-32149
Not exploitable for the same reason as above.
from fuse-overlayfs-snapshotter.
https://github.com/containerd/fuse-overlayfs-snapshotter/releases/tag/v1.0.6
from fuse-overlayfs-snapshotter.
@AkihiroSuda Sorry, it seems that I made a mistake. I am confused that where is the binary "containerd-fuse-overlayfs-grpc" from. Is it from this repo? Thanks for your clarification.
from fuse-overlayfs-snapshotter.
I am confused that where is the binary "containerd-fuse-overlayfs-grpc" from. Is it from this repo?
from fuse-overlayfs-snapshotter.
Related Issues (9)
- [... [... -t fuse-overlayfs]] failed: "": wait: no child processes: unknown HOT 2
- is it possible to enable fuse-overlayfs with standard docker rootless HOT 3
- can't find fuse3.fuse-overlayfs in ubuntu HOT 2
- TestFUSEOverlayFS/LayerFileupdate fails depending on the number of CPUs HOT 7
- two independent copies of golang.org/x/net/trace HOT 2
- Support containerd v1.3 HOT 1
- How do I use this with Docker rootless mode ? HOT 5
- test fails. says I have do not have the device HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fuse-overlayfs-snapshotter.