blog,jdesouza

Filesystem should be read only

For Deployment postgres in namespace default

Description:
Disabling access to the root filesystem can prevent attackers from altering configuration,
installing new software, or overwriting binaries with malicious code.

By default, Kubernetes runs containers with a writeable filesystem. However, Kubernetes workloads should
generally be stateless, and should not need write access to the root filesystem. If workloads do need
to write files to disk, there are safer methods of doing so (see remediation guidance).

References

Remediation:
In your workload's container configuration, set securityContext.readOnlyRootFilesystem = true.

If your workload needs to write data to disk, you can still protect the root filesystem by
mounting a separate volume. This creates a special writeable directory for your app, while
preventing changes to system components, application configuration, etc. See the example
below, or view the docs to learn more.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  volumes:
  - name: data
    emptyDir: {}
  containers:
  - name: busybox
    image: busybox
    command: [ "sh", "-c", "echo 'hello world' > /data/hello.txt" ]
    volumeMounts:
    - name: data
      mountPath: /data
    securityContext:
      readOnlyRootFilesystem: true

Package	CVE	Version	Severity	Title	Description
coreutils	CVE-2016-2781	8.26-3	LOW	coreutils: Non-privileged session can escape to the parent session in chroot	chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
	CVE-2017-18018		LOW	coreutils: race condition vulnerability in chown and chgrp	In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
gpgv	CVE-2018-1000858	2.1.18-8~deb9u4	MEDIUM	gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service	GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.
	CVE-2018-9234		MEDIUM	GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys	GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
	CVE-2019-14855		LOW
libapt-pkg5.0	CVE-2011-3374	1.4.9	MEDIUM		It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
libbz2-1.0	CVE-2019-12900	1.0.6-8.1	HIGH	bzip2: out-of-bounds write in function BZ2_decompress	BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
libcomerr2	CVE-2019-5094	1.43.4-2	MEDIUM	e2fsprogs: crafted ext4 partition leads to out-of-bounds write	An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
	CVE-2019-5188		MEDIUM	e2fsprogs: Out-of-bounds write in e2fsck/rehash.c	A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
libelf1	CVE-2018-16062	0.168-1	MEDIUM	elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file	dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.
	CVE-2018-16402		HIGH	elfutils: Double-free due to double decompression of sections in crafted ELF causes crash	libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
	CVE-2018-16403		MEDIUM	elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash	libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.
	CVE-2018-18310		MEDIUM	elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl	An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.
	CVE-2018-18520		MEDIUM	elfutils: eu-size cannot handle recursive ar files	An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.
	CVE-2018-18521		MEDIUM	elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c	Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.
	CVE-2019-7148		MEDIUM	elfutils: excessive memory allocation in read_long_names in elf_begin.c in libelf	DISPUTED An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens."
	CVE-2019-7149		MEDIUM	elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw	A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.
	CVE-2019-7150		MEDIUM	elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c	An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.
	CVE-2019-7664		MEDIUM	elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h	In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).
	CVE-2019-7665		MEDIUM	elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c	In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
libgcrypt20	CVE-2018-6829	1.7.6-2+deb9u3	MEDIUM	libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information	cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
	CVE-2019-12904		MEDIUM	Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack	In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)
	CVE-2019-13627		MEDIUM	libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library	It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
liblz4-1	CVE-2019-17543	0.0~r131-2	MEDIUM	lz4: heap-based buffer overflow in LZ4_write32	LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
libnettle6	CVE-2018-16869	3.3-1	LOW	nettle: Leaky data conversion exposing a manager oracle	A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.
libpcre3	CVE-2017-11164	2:8.39-3	HIGH	pcre: OP_KETRMAX feature in the match function in pcre_exec.c	In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
	CVE-2017-16231		LOW	pcre: self-recursive call in match() in pcre_exec.c leads to denial of service	DISPUTED In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.
	CVE-2017-7245		MEDIUM	pcre: stack-based buffer overflow write in pcre32_copy_substring	Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.
	CVE-2017-7246		MEDIUM	pcre: stack-based buffer overflow write in pcre32_copy_substring	Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.
libstdc++6	CVE-2018-12886	6.3.0-18+deb9u1	MEDIUM	gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass	stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
libtinfo5	CVE-2018-19211	6.0+20161126-1+deb9u2	MEDIUM	ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c	In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection.
	CVE-2019-17594		MEDIUM	ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c	There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
	CVE-2019-17595		MEDIUM	ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c	There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
libuuid1	CVE-2016-2779	2.29.2-1+deb9u1	HIGH	util-linux: runuser tty hijack via TIOCSTI ioctl	runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
libxtables12	CVE-2012-2663	1.6.0+snapshot20161117-6	HIGH	iptables: --syn flag bypass	extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.
	CVE-2019-11360		MEDIUM		A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.
multiarch-support	CVE-2009-5155	2.24-11+deb9u4	MEDIUM	glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result	In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.
	CVE-2010-4051		MEDIUM	CVE-2010-4052 glibc: De-recursivise regular expression engine	The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow."
	CVE-2010-4052		MEDIUM	CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine	Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.
	CVE-2010-4756		MEDIUM	glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions	The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

jdesouza / blog Goto Github PK

blog's People

Contributors

Watchers

Forkers

blog's Issues

Recommend Projects

Recommend Topics

Recommend Org