You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable
// for use in a grpc.NewServer call.
func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
out of the box adds labels
net.peer.sock.addr
net.peer.sock.port
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent.
Details
An attacker can easily flood the peer address and port for requests.
PoC
Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc.
Others
It is similar to already reported vulnerabilities.
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
gopkg.in/square/go-jose.v22.5.1 (golang)
pkg:golang/gopkg.in/square/go-jose.v2@2.5.1
Affected range
>=0
Fixed version
Not Fixed
Description
An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
k8s.io/apimachinery0.26.2 (golang)
pkg:golang/k8s.io/apimachinery@0.26.2
URL Redirection to Untrusted Site ('Open Redirect')
Affected range
<1.16.13
Fixed version
1.16.13
CVSS Score
6.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.7 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
k8s.io/apiserver0.26.2 (golang)
pkg:golang/k8s.io/apiserver@0.26.2
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range
<1.15.10
Fixed version
1.15.10, 1.16.7, 1.17.3
CVSS Score
4.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
golang.org/x/net0.17.0 (golang)
pkg:golang/golang.org/x/net@0.17.0
Uncontrolled Resource Consumption
Affected range
<0.23.0
Fixed version
0.23.0
CVSS Score
5.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.15->1.7.16Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
containerd/containerd (containerd/containerd)
v1.7.16: containerd 1.7.16Compare Source
Welcome to the v1.7.16 release of containerd!
The sixteenth patch release for containerd 1.7 contains various fixes and updates.
Highlights
Build and Release Toolchain
Container Runtime Interface (CRI)
Deprecations
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
50 commits
1c623084fAdd release notes for v1.7.1618a2c36faapparmor: Allow confined runc to kill containers62e9535f2Fix config import relative path globa8ebceb97CRI: "Fix" imageFSPath behaviorbd423bf84Snapshotters: Export the root path8fb6bfa71Add exports to proxy plugin config8916e2cf9Add platform config to proxy plugins293f5151dpod: CreatedAt time will be 269 years ago while creating cri network failed.af19e746eapparmor: addsignal (receive) peer=/usr/local/bin/rootlesskit,637d259ddupdate to go1.21.9, go1.22.2794b0c723Add deprecated HTTPFallback for package compatibility51c649d9dUpdate HTTPFallback to handle tls handshake timeoutaa14890edRemove empty default tls configuration in ctr3df5d4445Add support for HPC port forwarding5c15bf406Prevent GC from schedule itself with 0 period.b57dc9fd3cri/server: Add userns tests in PodSandboxStatus6e809ef13cri: Expose userns in PodSandboxStatus rpc395a31901mod: bump github.com/containerd/nri@v0.6.1f61de0864fix bug that using invalid token to retry fetching layer7a2f49f70Bump tags.cncf.io/container-device-interface to v0.7.2989f1ec54fix default working directoryhostProcess9f774e438fix(cri): fix unexpected order of mounts since go 1.192aec52493Automatically decompress archives for transfer service import8c76e7948Use different containerd sock address in tests18f4ad5eeremote: Fix HTTPFallback fails when pushing manifest600ba8612vendor: revendor OTEL9360e3716Changes to configuring otel from env onlyf2354894fDeprecate otel configs90c309fe2Add IsNotFound case to ListPodSandboxStatsChanges from containerd/nri
5 commits
c4893c7Fix deadlock during NRI plugin registration02a1d5ego.mod: github.com/containerd/ttrpc v1.2.3eb3edc4examples: go mod tidyDependency Changes
Previous release can be found at v1.7.15
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.