-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flatcar Mayday evaluation #3589
Comments
Do we have a reference for these CVEs? |
I'll provide them ASAP :) in the meantime, can we evaluate if we need it/can disable it? |
As far as I know, we don't really use it: it's a tool used to collect diagnostics when there's something wrong in the system to later analyze them/send them to support or whatever (basically what I was asking because there's a class of trojans which has the same name (Mayday), and since I couldn't find any CVE related to the tool I was wondering if the security scanner tripped over the homonymy. If it turns out there is a significant vulnerability of course we can remove it from the system when we build our flatcar image. |
Adidas added the issue reference, it's an outdated go dependency that might cause a crash when parsing malformed HTML (https://nvd.nist.gov/vuln/detail/CVE-2018-17848): |
I've opened a PR to the flatcar mayday upstream: flatcar/mayday#12 Edit: PR has already been merged, hopefully they will make a new version and include it in the next flatcar release 🚀 |
The PR was merged, and the dev made a couple of other PRs removing obsolete functionality and other vulnerable dependencies. |
Can I just check - what's the actual concern here? Unless I'm mistaken If we're not actively using it for anything (and I'm not aware that we are) then I don't think we have anything to worry about. Yes it's not ideal having the CVE notification but if it's not exploitable then its not a problem 🤷 |
If we can solve the scan alert that would be ideal and since we already have a fix for a CVE with a bigger number in the same dependency, I'm hoping this one was resolved in there too with Daniel's change. So let's check if that's the case and in which flatcar version. If it's not resolved, we need to evaluate the potential risk and communicate with the customer if a fix is really required. |
any updates on this? |
So, Daniel proposed a fix in flatcar/mayday#12. This got merged. A day later they just removed the whole dependency in flatcar/mayday#13. I then looked up which version of The first Flatcar release I could find including this PR is 3975.2.1: https://github.com/flatcar/scripts/blob/stable-3975.2.1/sdk_container/src/third_party/coreos-overlay/app-admin/mayday/mayday-9999.ebuild Flatcar 3975.2.1 is used in CAPA v29.2.0, CAPA v29.3.0, CAPZ v29.1.0 & CAPZ v29.2.0:
According to Dani they are fine as long as we include it in one of the releases on their journey from v20 to v29:
|
We rely on Flatcar as OS for our Kubernetes product.
Flatcar comes with
mayday
(https://github.com/flatcar/mayday) installed by default. It recently turned out to be vulnerable to a few CVEs.Some questions here:
The text was updated successfully, but these errors were encountered: