Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] #211

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update module github.com/crossplane/crossplane to v1.11.5 [SECURITY] #211

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/crossplane/crossplane v1.10.0 -> v1.11.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-27484

Summary

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane.

Details

Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice's size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value.

Workaround

Users can restrict write privileges on Compositions to only admin users as a workaround.

CVE-2023-38495

Impact

Crossplanes image backend does not validate the byte contents of Crossplane packages. As such, Crossplane does not detect if an attacker has tampered with a Package.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-11 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-11 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

CVE-2023-37900

Impact

An high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled.

The impact is low due to the high privileges required to be able to create the Package and the eventually consistency nature of controller.

Patches

The problem has been fixed in 1.11.5, 1.12.3 and 1.13.0, all the supported versions of Crossplane at the time of writing.

Workarounds

Only using images from trusted sources and keeping Package editing/creating privileges to administrators only, which should be both considered already best practices.

References

See ADA-XP-23-16 in the Security Audit's report.

Credits

This was reported as ADA-XP-23-16 by @​AdamKorcz and @​DavidKorczynski from Ada Logic and facilitated by OSTIF as part of the Security Audit sponsored by CNCF.

Release Notes

crossplane/crossplane (github.com/crossplane/crossplane)

v1.11.5

Compare Source

v1.11.5 addresses a few security issues shared during the security audit by Ada Logic and facilitated by OSTIF, sponsored by CNCF. See the report for more details.

Notable changes

  • Fix composition functions to be able to run with unconfined AppArmor profile.
  • Security fixes, see the report for more details.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.4...v1.11.5

v1.11.4

Compare Source

v1.11.4 addresses a few minor bugs and bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

  • Clarified the ControllerConfig deprecation message, highlighting that it's not going to be removed until a better option is available and a clear migration path has been well documented and publicly shared. Reduced also the number of times the message is shown to reduce noise.
  • Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.3...v1.11.4

v1.11.3

Compare Source

v1.11.3 is a scoped patch release that focuses on an issue that was preventing the alpha feature of Composition Functions from successfully running in certain environments that have a version of crun of 1.8+ (issue #​3807). This release should unblock the general testing and feedback on Composition Functions again. Thank you @​AndrewChubatiuk for contributing this fix!

What's Changed

Full Changelog: crossplane/crossplane@v1.11.2...v1.11.3

v1.11.2

Compare Source

v1.11.2 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.1...v1.11.2

v1.11.1

Compare Source

v1.11.1 contains a fix for Composition Functions causing extra resources to be created (#​3774), applies the --pollInterval CLI argument to the Claim and Composite reconcilers (#​3773), and adds the Composite Kind and APIVersion information to the kubectl get output columns for Compositions and CompositionRevisions. Additional dependency and CI updates are also included.

What's Changed

Full Changelog: crossplane/crossplane@v1.11.0...v1.11.1

v1.11.0

Compare Source

Release v1.11.0 is a regularly scheduled quarterly release that includes many exciting features that have been highly requested by the Crossplane community, such as Composition Functions, EnvironmentConfig, and promoting CompositionRevisions to beta.

Additionally, this v1.11.0 release includes a major documentation rewrite based on direct feedback from Crossplane users, and also focuses on stability fixes and design investigations.

New Features

  • Composition Function support introduced in alpha by @​negz in https://github.com/crossplane/crossplane/pull/2886. You are now able to write your own custom composition logic, in any programming language of your choice, to augment Crossplane’s built-in patching and transform capabilities.
  • EnvironmentConfig support introduced in alpha by @​MisterMX in https://github.com/crossplane/crossplane/pull/3007. It’s now possible to patch resources within a Composition by using configuration data from the general runtime environment, as opposed to being constrained to information available within a single composite resource.
  • Promoted CompositionRevisions to v1beta1 and are now enabled by default by @​ezgidemirel in https://github.com/crossplane/crossplane/pull/3453. CompositionRevisions have been improved with feedback from the community and are now stabilized and ready for general production usage.
  • The Crossplane documentation website has been redesigned to give users of Crossplane a better educational experience, whether they are new to the project or more advanced. Check out the new docs site at https://docs.crossplane.io/ and let us know your feedback in the docs repo!

Notable Updates

What's Changed

New Contributors

Full Changelog: crossplane/crossplane@v1.10.0...v1.11.0

v1.10.4

Compare Source

v1.10.4 bumps a few dependencies to address vulnerabilities image scanners might have reported.

Notable changes

  • Bumped a few dependencies to remove the number of HIGH CVEs reported by image scanners.

What's Changed

Full Changelog: crossplane/crossplane@v1.10.3...v1.10.4

v1.10.3

Compare Source

v1.10.3 bumps the crossplane-runtime version, in order to address a Crossplane vulnerability, caused by GHSA-vfvj-3m3g-m532.
These vulnerabilities were discovered thanks to the fuzz tests added to the Crossplane project by Ada Logics as part of a security audit sponsored by the CNCF.

What's Changed

Full Changelog: crossplane/crossplane@v1.10.2...v1.10.3

v1.10.2

Compare Source

The v1.10.2 release includes fixes for restoring the documented packagePullPolicy: Always behavior (https://github.com/crossplane/crossplane/pull/3581) as well as a follow-up fix to https://github.com/crossplane/crossplane/pull/3426 for constantly enqueued reconciles for ProviderRevisions marked as Inactive (https://github.com/crossplane/crossplane/pull/3582). There were also numerous documentation fixes and minor dependency updates.

What's Changed

  • [Backport release-1.10] CLI install scrip

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the automated label Aug 6, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Aug 6, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 30 additional dependencies were updated

Details:

Package Change
cloud.google.com/go/storage v1.27.0 -> v1.28.1
github.com/alecthomas/kong v0.7.1 -> v0.7.2-0.20221130112736-919e70103f7a
github.com/google/go-containerregistry v0.9.0 -> v0.15.3-0.20230625233257-b8504803389b
github.com/sirupsen/logrus v1.9.0 -> v1.9.1
github.com/spf13/cobra v1.6.1 -> v1.7.0
golang.org/x/mod v0.7.0 -> v0.10.0
google.golang.org/api v0.103.0 -> v0.122.0
cloud.google.com/go v0.107.0 -> v0.110.0
cloud.google.com/go/compute v1.14.0 -> v1.19.3
cloud.google.com/go/iam v0.7.0 -> v0.13.0
github.com/BurntSushi/toml v0.3.1 -> v1.2.1
github.com/cespare/xxhash/v2 v2.1.2 -> v2.2.0
github.com/docker/cli v20.10.16+incompatible -> v24.0.0+incompatible
github.com/docker/distribution v2.8.1+incompatible -> v2.8.2+incompatible
github.com/docker/docker v23.0.0-rc.1+incompatible -> v24.0.0+incompatible
github.com/docker/docker-credential-helpers v0.6.4 -> v0.7.0
github.com/golang/protobuf v1.5.2 -> v1.5.3
github.com/googleapis/enterprise-certificate-proxy v0.2.0 -> v0.2.3
github.com/googleapis/gax-go/v2 v2.7.0 -> v2.8.0
github.com/inconshreveable/mousetrap v1.0.1 -> v1.1.0
github.com/opencontainers/image-spec v1.1.0-rc2 -> v1.1.0-rc3
golang.org/x/net v0.7.0 -> v0.10.0
golang.org/x/oauth2 v0.1.0 -> v0.8.0
golang.org/x/sync v0.1.0 -> v0.2.0
golang.org/x/sys v0.5.0 -> v0.8.0
golang.org/x/term v0.5.0 -> v0.8.0
golang.org/x/text v0.7.0 -> v0.9.0
google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd -> v0.0.0-20230410155749-daa745c078e1
google.golang.org/grpc v1.50.1 -> v1.55.0
google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 -> v1.30.0

@renovate renovate bot force-pushed the renovate/go-github.com-crossplane-crossplane-vulnerability branch from 0485e7e to 8bb0c68 Compare September 17, 2024 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulucinar ulucinar Awaiting requested review from ulucinar ulucinar is a code owner

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
automated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants