You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
k3s crictl ps
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID POD
5b318c5a20375 6a8d5ae6dd415 3 days ago Running cluster-register 9 a4f9943e63ad4 cattle-cluster-agent-854cb4855f-8kkfq
k3s crictl images
IMAGE TAG IMAGE ID SIZE
docker.io/rancher/rancher-agent v2.8.2 6a8d5ae6dd415 610MB
The version of OpenSSL installed on the remote host is prior to 1.1.1o. It is, therefore, affected by a vulnerability as referenced in the 1.1.1o advisory.
- The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.
Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).
Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Output:
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/bin/openssl
Reported version : 1.1.1l
Fixed version : 1.1.1o
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libcrypto.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1o
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libssl.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1o
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/bin/openssl
Reported version : 1.1.1l
Fixed version : 1.1.1o
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libcrypto.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1o
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libssl.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1o
The version of OpenSSL installed on the remote host is prior to 1.1.1p. It is, therefore, affected by a vulnerability as referenced in the 1.1.1p advisory.
- In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Output:
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/bin/openssl
Reported version : 1.1.1l
Fixed version : 1.1.1p
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libcrypto.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1p
Path : /run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/5b318c5a203752aacb64c08e62a6730af3af96fbfdb81a2d274e392f9e5d34b6/rootfs/usr/lib64/libssl.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1p
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/bin/openssl
Reported version : 1.1.1l
Fixed version : 1.1.1p
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libcrypto.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1p
Path : /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/254/fs/usr/lib64/libssl.so.1.1
Reported version : 1.1.1l
Fixed version : 1.1.1p
Expected Result
Fix vulnerabilities in Rancher agent image.
The text was updated successfully, but these errors were encountered:
Rancher Server Setup
Information about the Cluster
User Information
Describe the bug
The CVE-2022-2068, CVE-2022-1292 have been found in rancher-agent images by brinqa scanner.
To Reproduce
Import k3s cluster into rancher by kubectl apply.
Result
Brinqa scanner outputs
CVE-2022-1292
Description:
Output:
CVE-2022-2068
Description:
Output:
Expected Result
Fix vulnerabilities in Rancher agent image.
The text was updated successfully, but these errors were encountered: