Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE Report on GE open source ClusterRole and Roles #8397

Open
edubonifs opened this issue Jun 16, 2023 · 1 comment
Open

CVE Report on GE open source ClusterRole and Roles #8397

edubonifs opened this issue Jun 16, 2023 · 1 comment
Labels
Needs Investigation stale Issues that are stale. These will not be prioritized without further engagement on the issue. Type: Bug Something isn't working

Comments

@edubonifs
Copy link

Gloo Edge Version

1.14.x (latest stable)

Kubernetes Version

None

Describe the bug

Hi team,

One of our customers reported some CVEs in their report.

They basically complain that the ClusterRole gloo/templates/20-namespace-clusterrole-gateway.yaml has some wildcards which are compromising security: The issue is... \nThe role uses wildcards, which grant the role permissions to the whole cluster\n\n The impact of this is... \n The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.\n\n You can resolve this by... \nSet only the necessary permissions required

Another of the CVE analysis they got is from file gloo/templates/5-resource-cleanup-job.yaml whit the following info: This file contains a potential high severity misconfiguration affecting the ClusterRole. So the customer just wants to check if we can avoid using secrets in the Roles of this file.

This is the complete analysis:

{
  "runs": [
    {
      "originalUriBaseIds": {
        "PROJECTROOT": {
          "uri": "gloo/",
          "description": {
            "text": "The root directory for all project files."
          }
        }
      },
      "tool": {
          "rules": [
            {
              "name": "RoleWithDangerousPermissions",
              "shortDescription": {
                "text": "High severity - Role with dangerous permissions"
              },
              "fullDescription": {
                "text": "High severity - ClusterRole"
              },
              "help": {
                "text": "The issue is... \nA role was found using a dangerous permissions\n\n The impact of this is... \n Using this role grants dangerous permissions\n\n You can resolve this by... \nConsider removing this permissions",
                "markdown": "**The issue is...** \nA role was found using a dangerous permissions\n\n **The impact of this is...** \n Using this role grants dangerous permissions\n\n **You can resolve this by...** \nConsider removing this permissions"
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "properties": {
                "tags": [
                  "security",
                  "ClusterRole"
                ],
                "problem": {
                  "severity": "high"
                }
            {
              "name": "RoleWithTooWidePermissions",
              "shortDescription": {
                "text": "High severity - Role with too wide permissions"
              },
              "fullDescription": {
                "text": "High severity - ClusterRole"
              },
              "help": {
                "text": "The issue is... \nThe role uses wildcards, which grant the role permissions to the whole cluster\n\n The impact of this is... \n The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.\n\n You can resolve this by... \nSet only the necessary permissions required",
                "markdown": "**The issue is...** \nThe role uses wildcards, which grant the role permissions to the whole cluster\n\n **The impact of this is...** \n The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.\n\n **You can resolve this by...** \nSet only the necessary permissions required"
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "properties": {
                "tags": [
                  "security",
                  "ClusterRole"
                ],
                "problem": {
                  "severity": "high"
                }
            }
          ]
        }
      },
      "results": [
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/20-namespace-clusterrole-gateway.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 14
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/20-namespace-clusterrole-gateway.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 45
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/20-namespace-clusterrole-gateway.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 39
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/5-resource-cleanup-job.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 33
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/5-resource-migration-job.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 30
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/5-resource-rollout-job.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 30
                }
              }
            }
          ]
        },
        {
          "message": {
            "text": "This line contains a potential high severity misconfiguration affecting the ClusterRole"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "gloo/templates/6.5-gateway-certgen-job.yaml",
                  "uriBaseId": "PROJECTROOT"
                },
                "region": {
                  "startLine": 44
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Steps to reproduce the bug

Run CVE against open source Gloo Edge

Expected Behavior

Check if any of this CVEs can be avoided

Additional Context

No response
@edubonifs edubonifs added the Type: Bug Something isn't working label Jun 16, 2023
@github-actions GitHub Actions
Copy link

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.

@github-actions github-actions bot added the stale Issues that are stale. These will not be prioritized without further engagement on the issue. label Jun 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Investigation stale Issues that are stale. These will not be prioritized without further engagement on the issue. Type: Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SantoDE @edubonifs