[BUG] CVE-2022-2068, CVE-2022-1292

[warchal-tomasz]

Rancher Server Setup

• Rancher version: v2.8.2
• Installation option (Docker install/Helm Chart): Helm Chart
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): v1.27.12-eks-adc7111

Information about the Cluster

• Kubernetes version: v1.25.11+k3s1
• Cluster Type (Local/Downstream): Downstream, Imported

User Information

• What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom)
  • If custom, define the set of permissions: Admin, Cluster Owner

Describe the bug

The CVE-2022-2068, CVE-2022-1292 have been found in rancher-agent images by brinqa scanner.

To Reproduce

Import k3s cluster into rancher by kubectl apply.

k3s crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID              POD
5b318c5a20375       6a8d5ae6dd415       3 days ago          Running             cluster-register    9                   a4f9943e63ad4       cattle-cluster-agent-854cb4855f-8kkfq

k3s crictl images
IMAGE                              TAG                 IMAGE ID            SIZE
docker.io/rancher/rancher-agent    v2.8.2              6a8d5ae6dd415       610MB

Result

Brinqa scanner outputs

CVE-2022-1292
Description:

The version of OpenSSL installed on the remote host is prior to 1.1.1o. It is, therefore, affected by a vulnerability as referenced in the 1.1.1o advisory.

  - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This     script is distributed by some operating systems in a manner where it is automatically executed. On such     operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of     the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.
    Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).
    Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output:

 Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1o

CVE-2022-2068
Description:

The version of OpenSSL installed on the remote host is prior to 1.1.1p. It is, therefore, affected by a vulnerability as referenced in the 1.1.1p advisory.

  - In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances     where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection     were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other     places in the script where the file names of certificates being hashed were possibly passed to a command     executed through the shell. This script is distributed by some operating systems in a manner where it is     automatically executed. On such operating systems, an attacker could execute arbitrary commands with the     privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the     OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in     OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Output:

 Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/bin/openssl
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libcrypto.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p


  Path             : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libssl.so.1.1
  Reported version : 1.1.1l
  Fixed version    : 1.1.1p

Expected Result

Fix vulnerabilities in Rancher agent image.