Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2024-45338] Non-linear parsing of case-insensitive content in golang.org/x/net/html #129347

Open
dims opened this issue Dec 20, 2024 · 13 comments
Open

[CVE-2024-45338] Non-linear parsing of case-insensitive content in golang.org/x/net/html #129347

dims opened this issue Dec 20, 2024 · 13 comments
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.

Comments

@dims
Copy link
Member

dims commented Dec 20, 2024
edited
Loading

Details are here:

We do use some code from the package x/net/html:
https://cs.k8s.io/?q=x%2Fnet%2Fhtml%22&i=nope&files=&excludeFiles=&repos=kubernetes/kubernetes

and though Kubernetes is using v0.30.0, We are NOT affected as the symbols affected/fixed are not referenced from our codebase:

https://github.com/golang/vulndb/blame/230cf22dcb14b2afd57acae9022e4adebaa8fe05/data/reports/GO-2024-3333.yaml#L8C41-L18
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 20, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dims
Copy link
Member Author

dims commented Dec 20, 2024

Here's the govulncheck verbose output that confirms that we are NOT affected.

❯ govulncheck --show verbose ./...
Scanning your code and 1924 packages across 180 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

Vulnerability #1: GO-2024-3333
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2024-3333
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.30.0
    Fixed in: golang.org/x/net@v0.33.0

Vulnerability #2: GO-2024-2631
    Decompression bomb vulnerability in github.com/go-jose/go-jose
  More info: https://pkg.go.dev/vuln/GO-2024-2631
  Module: gopkg.in/square/go-jose.v2
    Found in: gopkg.in/square/go-jose.v2@v2.6.0
    Fixed in: N/A

=== Module Results ===

Vulnerability #1: GO-2023-2113
    Memory exhaustion in go.opentelemetry.io/contrib/instrumentation
  More info: https://pkg.go.dev/vuln/GO-2023-2113
  Module: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful
    Found in: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@v0.42.0
    Fixed in: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@v0.44.0

Your code is affected by 0 vulnerabilities.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.

@dims
Copy link
Member Author

dims commented Dec 20, 2024

cc @liggitt

@dims
Copy link
Member Author

dims commented Dec 20, 2024

Some scanners that just go by the version of the x/net module and do NOT inspect the code are very prone to flagging with a false positive. for example here's one:

staging/src/k8s.io/sample-controller/go.mod (gomod)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.30.0           │ 0.33.0        │ Non-linear parsing of case-insensitive content in │
│                  │                │          │        │                   │               │ golang.org/x/net/html                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

@dims
Copy link
Member Author

dims commented Dec 20, 2024

/sig architecture

@k8s-ci-robot k8s-ci-robot added sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 20, 2024
@dims dims mentioned this issue Dec 20, 2024
Open
@kannon92
Copy link
Contributor

Even if Kubernetes is not impacted, I did see usage of golang.org/x/net/html in client-go. I noticed that any object that imported client-go would get hit by those scanners. Anything to worry about for controller-runtime based projects?

@dims
Copy link
Member Author

dims commented Dec 20, 2024

I did see usage of golang.org/x/net/html in client-go

Link please!

@kannon92
Copy link
Contributor

I think you may be right. I did a search of golang.org/x/net and saw where that is used. I didn't look at what uses golang.org/x/net/html.

@dims
Copy link
Member Author

dims commented Dec 20, 2024

@kannon92 yep! for the record here's what the symbols that were fixed are:

image

@kannon92
Copy link
Contributor

Okay. So for Kueue, here were vendored packages that used this module. TBH I think anything that brings in gomega may take this dependency (ouch!).

Only component that I see k8s use is:

vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
30:	"golang.org/x/net/html"
31:	"golang.org/x/net/html/atom"

rg golang.org/x/net/html

kehannon@kehannon-thinkpadp1gen4i:~/Work/kueue$ rg golang.org/x/net/html
vendor/modules.txt
468:golang.org/x/net/html
469:golang.org/x/net/html/atom
470:golang.org/x/net/html/charset

vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go
14:	"golang.org/x/net/html/charset"

vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
30:	"golang.org/x/net/html"
31:	"golang.org/x/net/html/atom"

vendor/golang.org/x/net/html/parse.go
13:	a "golang.org/x/net/html/atom"

vendor/golang.org/x/net/html/node.go
8:	"golang.org/x/net/html/atom"

vendor/golang.org/x/net/html/doc.go
112:package html // import "golang.org/x/net/html"

vendor/golang.org/x/net/html/charset/charset.go
9:package charset // import "golang.org/x/net/html/charset"
19:	"golang.org/x/net/html"

vendor/golang.org/x/net/html/atom/atom.go
18:package atom // import "golang.org/x/net/html/atom"

vendor/golang.org/x/net/html/token.go
14:	"golang.org/x/net/html/atom"

@dims
Copy link
Member Author

dims commented Dec 20, 2024
edited
Loading

@kannon92 for Kueue, run the govulncheck and see what it says (govulncheck --show verbose ./... from the root directory). I bet those symbols i posted above are not used.

@kannon92
Copy link
Contributor

I already updated that library to use v0.33.0 as fighting the battle that the CVE scanners are not accurate seems to take longer than just bumping the dependency..

We got spammed heavily with this CVE and I spent the better part of yesterday bumping libraries to satisfy this.

🐼

@dims
Copy link
Member Author

dims commented Dec 21, 2024

@kannon92 very sad state of affairs :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dims @kannon92 @k8s-ci-robot