New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency containerd/containerd to v1.7.16 #4374
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-approved because label type/renovate is present.
🔍 Vulnerabilities of
|
digest | sha256:23d1d5a961eded2c10fb3d8c2400f3c2427d5d68439f0831b00fcd1127155cd4 |
vulnerabilities | |
platform | linux/amd64 |
size | 49 MB |
packages | 127 |
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
|
Affected range | <0.46.0 |
Fixed version | 0.46.0 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
Summary
The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
- GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected, a view removing the attributes can be used.
The other possibility is to disable grpc metrics instrumentation by passing
otelgrpc.WithMeterProvider
option withnoop.NewMeterProvider
.Solution provided by upgrading
In PR #4322, to be released with v0.46.0, the attributes were removed.
References
golang.org/x/crypto 0.14.0
(golang)
pkg:golang/golang.org/x/crypto@0.14.0
Insufficient Verification of Data Authenticity
Affected range | <0.17.0 |
Fixed version | 0.17.0 |
CVSS Score | 5.9 |
CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Description
Summary
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
For more details see https://terrapin-attack.com.
Impact
This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
k8s.io/apimachinery 0.26.2
(golang)
pkg:golang/k8s.io/apimachinery@0.26.2
URL Redirection to Untrusted Site ('Open Redirect')
Affected range | <1.16.13 |
Fixed version | 1.16.13 |
CVSS Score | 6.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |
Description
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.7 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
k8s.io/apiserver 0.26.2
(golang)
pkg:golang/k8s.io/apiserver@0.26.2
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | <1.15.10 |
Fixed version | 1.15.10, 1.16.7, 1.17.3 |
CVSS Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
golang.org/x/net 0.17.0
(golang)
pkg:golang/golang.org/x/net@0.17.0
Uncontrolled Resource Consumption
Affected range | <0.23.0 |
Fixed version | 0.23.0 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/8836175729. |
PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/8836175729. |
This PR contains the following updates:
1.7.15
->1.7.16
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containerd/containerd (containerd/containerd)
v1.7.16
: containerd 1.7.16Compare Source
Welcome to the v1.7.16 release of containerd!
The sixteenth patch release for containerd 1.7 contains various fixes and updates.
Highlights
Build and Release Toolchain
Container Runtime Interface (CRI)
Deprecations
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
50 commits
1c623084f
Add release notes for v1.7.1618a2c36fa
apparmor: Allow confined runc to kill containers62e9535f2
Fix config import relative path globa8ebceb97
CRI: "Fix" imageFSPath behaviorbd423bf84
Snapshotters: Export the root path8fb6bfa71
Add exports to proxy plugin config8916e2cf9
Add platform config to proxy plugins293f5151d
pod: CreatedAt time will be 269 years ago while creating cri network failed.af19e746e
apparmor: addsignal (receive) peer=/usr/local/bin/rootlesskit,
637d259dd
update to go1.21.9, go1.22.2794b0c723
Add deprecated HTTPFallback for package compatibility51c649d9d
Update HTTPFallback to handle tls handshake timeoutaa14890ed
Remove empty default tls configuration in ctr3df5d4445
Add support for HPC port forwarding5c15bf406
Prevent GC from schedule itself with 0 period.b57dc9fd3
cri/server: Add userns tests in PodSandboxStatus6e809ef13
cri: Expose userns in PodSandboxStatus rpc395a31901
mod: bump github.com/containerd/nri@v0.6.1f61de0864
fix bug that using invalid token to retry fetching layer7a2f49f70
Bump tags.cncf.io/container-device-interface to v0.7.2989f1ec54
fix default working directoryhostProcess
9f774e438
fix(cri): fix unexpected order of mounts since go 1.192aec52493
Automatically decompress archives for transfer service import8c76e7948
Use different containerd sock address in tests18f4ad5ee
remote: Fix HTTPFallback fails when pushing manifest600ba8612
vendor: revendor OTEL9360e3716
Changes to configuring otel from env onlyf2354894f
Deprecate otel configs90c309fe2
Add IsNotFound case to ListPodSandboxStatsChanges from containerd/nri
5 commits
c4893c7
Fix deadlock during NRI plugin registration02a1d5e
go.mod: github.com/containerd/ttrpc v1.2.3eb3edc4
examples: go mod tidyDependency Changes
Previous release can be found at v1.7.15
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.