Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

efk addon image contains Log4j CVEs #15280

Open
1 of 3 tasks
spowelljr opened this issue Nov 3, 2022 · 13 comments
Open
1 of 3 tasks

efk addon image contains Log4j CVEs #15280

spowelljr opened this issue Nov 3, 2022 · 13 comments
Labels
addon/efk Issues with EFK addon area/addons kind/security security issues lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@spowelljr
Copy link
Member

spowelljr commented Nov 3, 2022
edited
Loading

The efk addon contains the image k8s.gcr.io/elasticsearch:v5.6.2@sha256:7e95b32a7a2aad0c0db5c881e4a1ce8b7e53236144ae9d9cfb5fbe5608af4ab2

This image contains Log4j CVEs

  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720] in org.apache.logging.log4j:log4j-core@2.9.1
    introduced by org.apache.logging.log4j:log4j-core@2.9.1
  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014] in org.apache.logging.log4j:log4j-core@2.9.1
    introduced by org.apache.logging.log4j:log4j-core@2.9.1

If you are using the addon we recommend you run minikube addons disable efk to terminate the vulnerable pod.
If you are not using the efk addon you are not vulnerable.
@spowelljr spowelljr added area/addons priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. addon/efk Issues with EFK addon kind/security security issues labels Nov 3, 2022
@spowelljr spowelljr self-assigned this Nov 3, 2022
@spowelljr spowelljr mentioned this issue Nov 3, 2022
Merged
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 2, 2023
@henk52
Copy link

henk52 commented Feb 9, 2023

I assume this is complicated to resolve, are there anywhere to go read up on how to solve this issue?

@spowelljr
Copy link
Member Author

It requires replacing the vulnerable elasticsearch image with an updated one and making sure the addon still works as intended. After that's completed we can unban the addon.

@spowelljr spowelljr added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 13, 2023
@nekperu15739
Copy link

nekperu15739 commented Feb 21, 2023
edited
Loading

Hi,
I know its a risk, however for local dev, Is there any work around, in favor of made possible enable the addon?

@nekperu15739
Copy link

Hi @spowelljr

Any update on this?

@Sikamator
Copy link

Any updates?

@spowelljr spowelljr mentioned this issue Apr 18, 2023
Closed
@spowelljr
Copy link
Member Author

I created a PR to update the elasticsearch, kibana, and alpine images. I have no idea if the addon will continue to work with the updated images. You can test the PR once it's finished building and let me know if it's working as expected.

@spowelljr
Copy link
Member Author

The pods are coming up which is promising

$ kubectl get pods -A
NAMESPACE     NAME                               READY   STATUS    RESTARTS        AGE
kube-system   coredns-787d4945fb-rfbgc           1/1     Running   0               2m45s
kube-system   elasticsearch-logging-hnpz6        1/1     Running   0               118s
kube-system   etcd-minikube                      1/1     Running   0               2m58s
kube-system   fluentd-es-xxsjv                   1/1     Running   0               118s
kube-system   kibana-logging-vl7s9               1/1     Running   0               118s
kube-system   kube-apiserver-minikube            1/1     Running   0               3m
kube-system   kube-controller-manager-minikube   1/1     Running   0               2m58s
kube-system   kube-proxy-zvmp9                   1/1     Running   0               2m45s
kube-system   kube-scheduler-minikube            1/1     Running   0               2m58s
kube-system   storage-provisioner                1/1     Running   1 (2m14s ago)   2m57s

@spowelljr
Copy link
Member Author

Here's the macOS amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-darwin-amd64
Linux amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-linux-amd64

If someone could test it and let me know if it works as expected. If someone needs a different binary just let me know

@Sikamator
Copy link

Here's the macOS amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-darwin-amd64 Linux amd64 binary: https://storage.googleapis.com/minikube-builds/16343/minikube-linux-amd64

If someone could test it and let me know if it works as expected. If someone needs a different binary just let me know

Hello,
I've tested it. And confirm it's works fine. Thank You.
image

@spowelljr
Copy link
Member Author

Hi @Sikamator, just confirming that the addon is working as expected as well? ie. It's aggregating logs as expected, not just that the addon started

@gryphon2411
Copy link

@spowelljr, your PR review failed, and as a result, wasn't merged

@Razorr1996 Razorr1996 mentioned this issue Jul 16, 2024
Merged
@wdcs-meetsoni
Copy link

still can't enable any updates ?

@spowelljr spowelljr removed their assignment Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addon/efk Issues with EFK addon area/addons kind/security security issues lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: efk addon: Update images spowelljr/minikube
8 participants
@nekperu15739 @Sikamator @henk52 @gryphon2411 @k8s-ci-robot @spowelljr @k8s-triage-robot @wdcs-meetsoni