You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
// for use in a grpc.NewServer call.
func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
k8s.io/apiserver0.26.2 (golang)
pkg:golang/k8s.io/apiserver@0.26.2
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.15.10
Fixed version
1.15.10, 1.16.7, 1.17.3
CVSS Score
4.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.13->1.7.14Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containerd/containerd (containerd/containerd)
v1.7.14: containerd 1.7.14Compare Source
Welcome to the v1.7.14 release of containerd!
The fourteenth patch release for containerd 1.7 contains various fixes and updates.
Highlights
Container Runtime Interface (CRI)
Runtime
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
70 commits
1babe6b58Prepare release notes for v1.7.14a9bbbefcfUse the Go toolchain in CI matrix to build binaries1ca9a643aupdate to go 1.21.8, 1.22.139caf532eMove inline PS scripts into files630226bb4Disable OOM set score unpriv test temporarilyde7b6bae9runc-shim: process exec exits before init3b3e537eaUninstall mingw before attempting upgrade9e24388b2CI: Explicitly upgrade MinGW on Windows 2019 GitHub runners.5b23a4127seccomp, apparmor: add go:noinline753422ac1Drop go 1.20 and build against 1.22a2d64218cFix windows integration tests6379dd6f4Update workflow files to install Go via composite actiona5c0d061cExtract a composite action to install Go52a1402dfcopy: prevent potential deadlock if close before fully written872746386copy: setError should imply Closea8004007acopy: remove max number of ErrResets0465472edpushWriter: refactor reset pipe logic into separate function2577207cccopy: improve error detection from closed pipesd081da86bcopy: check if writer was closed before setting a pipe2a25c085bcopy: remove wrapping io.NopCloser from push writer pipe711cebd48Register imagePullThroughput and count with MiB926ceb036fix golangci-lint errors4030ae235Update golangci-lint to v1.56.16620d6bfdci: bump up golangci-lint to v1.55.2b16ca72b2Bump up golangci-lint to v1.54.239db3f18badjust test cases to run for windows579d8b463[cri] Handle Windows pod transitions gracefully8d6f0f2aebuild(deps): bump golangci/golangci-lint-action from 3 to 47929592b9build(deps): bump actions/upload-artifact from 3 to 4e11de777dbuild(deps): bump crazy-max/ghaction-github-runtime from 2 to 32b40a4074build(deps): bump actions/checkout from 3 to 422feefa57build(deps): bump actions/setup-go from 3 to 5b96aa4012build(deps): bump actions/upload-artifact from 1 to 397763f91dbuild(deps): bump docker/setup-buildx-action from 2 to 36875bb14fbuild(deps): bump github/codeql-action from 2 to 387f9adb6bbuild(deps): bump actions/download-artifact from 3 to 4d9c099a9a.github: windows should use fix critool versiondc594b01dci: update crun version to 1.14.38fe0b26f1Add missing unpacker.Wait for image import31ea2d7d9Add WithMetaStore to overlay snapshotter to allow bringing your own982e0cffbMove high volume event logs to Trace levelc79ffa277cri: propagate deprecation list to runtime statuseaebe23dectr: print deprecation warnings on every invocation26c057423bug fix: make sure cri image is pinned when it is pulled outside crid3e997556go.{mod,sum}: update NRI dependency, re-vendor.ea0a92ec3*: introduce image_pull_with_sync_fs in CRI4caf44032api: introduce sync_fs to diff.ApplyRequest3f75af7bfMove certain debug logs to trace logsChanges from containerd/nri
23 commits
e47f09bsocketpair_windows: remove implementation for now45b9e3fplugins: update dependencies.f600cf6go.{mod,sum}: update dependencies.13ee978pkg/stub: add support for extra ttrpc options.c4e2f81pkg/adaptation: add support for extra ttrpc options.5d0b52bsockerpair_unix: avoid double close(), set FD_CLOEXECae7840bTask: fix typo in godocb4ac58cTake pkg/hooks from github.com/containers/commonee96969gha: update actions/checkout@v47b33fbfgha: update actions/setup-go@v4e33ac3egha: remove working-dir and GOPATHda8a7e5remove containerd as dependency934815emake plugins/ulimit-adjuster a separate module9b43daascripts: fix protobuf URL on arm64Changes from containerd/ttrpc
21 commits
44ca009Add comment6615f15Fix linterdea99e9Fix handling of empty payloads336fc1bAdd integration test to reproduce issue with empty payloads1e51c46Bump google.golang.org/grpc from 1.57.0 to 1.57.1bea960dBump golang.org/x/net from 0.10.0 to 0.17.040f227dserver: implement UnaryServerInterceptor chaining.f984c9bclient: implement UnaryClientInterceptor chaining.8ca4110Fix comment for UserOnCloseWait.a2fbc14go.mod: google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6dcf2b85dgo.mod: bump to supported go versione0cd801server_test: wait for OnClose in TestClientEOF.8d47846.github: give more slack for build+tests.Dependency Changes
782d3b1->cbb8c96Previous release can be found at v1.7.13
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.