-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moving to a fork for jwt-go with a CVE fix (transient dependency) #100401
Comments
/sig architecture /sig api-machinery |
/remove-sig api-machinery |
It looks like the project is abandoned. @kubernetes/dep-approvers what do we do in these scenarios? We are using go-jose for core jwt needs but as long as this library remains in vendor/, there's a risk that usage will sneak in. |
@mikedanese looks like etcd already moved, and heketi has merged an update to the newer repo, so we can wait a bit for both etcd and heketi releases to come out and then we will be able to remove the old repo. Also, could we persuade etcd to switch to go-jose? |
Ran snyk on master branch and it lists the CVE as mentioned in the issue
Seeing another CWE-338 for |
Thanks @dims, 100% agree @mikedanese with regards to getting this moving: I have pinged heketi maintainers again to remind to bump a new minor version release that points to the fixed fork. etcd is still on alpha release that has the fix (3.5.0 alpha). @navidshaikh that's a good finding. Was not aware of the other vulnerable pkg. Maybe worth opening a separate PR about that too? Feel free to correct me if it makes sense to have a single PR that fixes both. |
Looks like Azure SDK issue is fixed in Azure/azure-sdk-for-go#14283 and should be resolved with a dependency bump. |
@PushkarJ do you have a heketi issue we can reference here? |
Here you go: |
@PushkarJ : It was a transient dependency and fixed where it came from in Azure/azure-sdk-for-go#14283, next dep bump should fix it.
|
Update on this issue:
Have commits that fixes 1 and 3 in my fork already. Probably worth the wait for opening a PR until etcd release a GA for v3.5.0 ? |
@PushkarJ yes! thanks. |
To keep everyone in the loop, etcd fixes (pt. 2 above) should happen as part of the upgrade to etcd 3.5.x through this PR by @liggitt : #100488 . So the sequence of steps planned are:
|
Related: spf13/viper#997 and spf13/viper#1126 |
What happened:
github.com/dgrijalva/jwt-go v3.2.0
is known to have a CVE-2020-26160 with severity rating as high. This is a dependency for etcd and heketi which is a dependency for kubernetes. Although the vulnerable functionverifyAudience
is not used, because of this dependency chain, security scanners tag kubernetes releases as impacted by this CVE. To prevent this false positive alert, it would be a good idea to move a release and fork, that fixes this CVEWhat you expected to happen:
Kubernetes to move to a forked release github.com/form3tech-oss/jwt-go/ that has a fix for this CVE
etcd version 3.5.0-alpha.0 also includes this fix.
A separate issue for heketi is opened for them to create a tagged release: heketi/heketi#1841
Related PR: #100382 I will re-open this PR with a fix once heketi and etcd both release a tagged version
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version
): <= 1.21cat /etc/os-release
): n/auname -a
): n/a/area dependency
/kind cleanup
/sig storage
The text was updated successfully, but these errors were encountered: