Skip to end of metadata
Go to start of metadata

1.6.1+dfsg.3-2ubuntu1

Blueprints that have vulnerabilities with a CVSS score >= 9.0 and meet the following criteria should submit their information in the chart below to have the vulnerability considered for an exception:

  • Running at least the minimum OS version required by the Akraino Security Sub-Committee
    • Ubuntu
    • CentOS
    • Debian
    • Fedora
    • Suse Enterprise Server

Legend

Ubuntu Priority/Score Descriptions

Not VulnerablePackages which do not exist in the archive, are not affected by the vulnerability or have a fix applied in the archive.
PendingA fix has been applied and updated packages are awaiting arrival into the archive. For example, this might be used when wider testing is requested for the updated package.
UnknownOpen vulnerability where the priority is currently unknown and needs to be triaged.
NegligibleOpen vulnerability that may be a problem but otherwise does not impose a security risk due to various factors. Examples include when the vulnerability is only theoretical in nature, requires a very special situation, has almost no install base or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update.
LowOpen vulnerability that is a problem but does very little damage or is otherwise hard to exploit due to small user base or other factors such as requiring specific environment, uncommon configuration, user assistance, etc. These tend to be included in security updates only when higher priority issues require an update or if many low priority issues have built up.
MediumOpen vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.
HighOpen vulnerability that is a real problem and is exploitable for many users in the default configuration of the affected software. Examples include serious remote denial of service of the system, local root privilege escalations or local data theft.
CriticalOpen vulnerability that is a world-burning problem and is exploitable for most Ubuntu users. Examples include remote root privilege escalations or remote data theft.
CVE/KHV #BlueprintBlueprint OS/VerURL Showing OS Patch Not AvailableContact NameContact EmailCommentVendor CVSS ScoreVendor Patch AvailableException Status
CVE-2016-1585Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2016-1585Colin Peterscolin.peters@fujitsu.com
MediumNoApproved
CVE-2021-20236Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-20236colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-31870Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31870colin.peters@fujitsu.com
LowNoApproved
CVE-2021-31872Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31872colin.peters@fujitsu.com
LowNoApproved
CVE-2021-31873Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31873colin.peters@fujitsu.com
LowNoApproved
CVE-2021-33574Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574colin.peters@fujitsu.com
LowNoApproved
CVE-2021-45951Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45951colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45952Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45952colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45953Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45953colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45954Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45954colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45955Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45955colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45956Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45956colin.peters@fujitsu.com
MediumNoApproved
CVE-2021-45957Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45957colin.peters@fujitsu.com
MediumNoApproved
CVE-2022-23218Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2022-23218colin.peters@fujitsu.com
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved
CVE-2022-23219Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2022-23219colin.peters@fujitsu.com
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved
CVE-2016-9180Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2016-9180colin.peters@fujitsu.com
LowNoApproved
CVE-2021-35942Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-35942colin.peters@fujitsu.com

LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.Approved

CVE-2016-1585

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2016-1585

inoue.reo@fujitsu.com



MediumNoApproved

CVE-2017-18201

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2017-18201

inoue.reo@fujitsu.com



LowNoApproved

CVE-2017-7827

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2017-7827

inoue.reo@fujitsu.com


MediumNoApproved

CVE-2018-5090

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5090inoue.reo@fujitsu.com
Medium

Reported fixed in 58 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5126

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5126inoue.reo@fujitsu.com
Medium

Reported fixed in 58 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5145

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5145inoue.reo@fujitsu.com
Medium

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

Approved

CVE-2018-5151

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2018-5151inoue.reo@fujitsu.com
Medium

Reported fixed in 60 and later version (installed), but still reported by Vuls

Approved

CVE-2019-17041

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-17041inoue.reo@fujitsu.com
LowNoApproved

CVE-2019-17042

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-17042inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31870

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31870inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31872

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31872inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-31873

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-31873inoue.reo@fujitsu.com
LowNoApproved

CVE-2021-39713

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2021-39713inoue.reo@fujitsu.com
LowNoApproved

CVE-2022-23852

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-23852inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-23990

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-23990inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-25235

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25235inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-25236

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25236inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-25315

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2022-25315inoue.reo@fujitsu.com
MediumNoApproved

CVE-2016-9180

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2016-9180inoue.reo@fujitsu.com
LowNoApproved

CVE-2019-20433

Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-20433inoue.reo@fujitsu.com
LowNoApproved

CVE-2005-2541

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2005-2541inoue.reo@fujitsu.com
HighNoApproved

CVE-2014-2830

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2014-2830inoue.reo@fujitsu.com
HighNoApproved

CVE-2016-1585

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2016-1585inoue.reo@fujitsu.com
HighNoApproved

CVE-2017-17479

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-17479inoue.reo@fujitsu.com
HighNoApproved

CVE-2017-9117

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-9117inoue.reo@fujitsu.com
HighNoApproved

CVE-2018-13410

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2018-13410inoue.reo@fujitsu.com
HighNoApproved

CVE-2019-1010022

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-1010022inoue.reo@fujitsu.com
HighNoApproved

CVE-2019-8341

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-8341inoue.reo@fujitsu.com
HighNoApproved

CVE-2020-27619

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2020-27619inoue.reo@fujitsu.com
High
Approved

CVE-2021-29462

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29462inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-29921

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29921inoue.reo@fujitsu.com
HighReported fixed in python3.9 (installed), but still reported by VulsApproved

CVE-2021-30473

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30473inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30474

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30474inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30475

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30475inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30498

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30498inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-30499

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30499inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-42377

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-42377inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-45951

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45951inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45952

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45952inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45953

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45953inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45954

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45954inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45955

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45955inoue.reo@fujitsu.com
HighNoApproved

CVE-2021-45956

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45956inoue.reo@fujitsu.com
HighNoApproved

CVE-2022-23303

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23303inoue.reo@fujitsu.com
MediumNoApproved

CVE-2022-23304

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23304inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-4048

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-4048inoue.reo@fujitsu.com
MediumNoApproved

CVE-2021-43400

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-43400inoue.reo@fujitsu.com
MediumNoApproved
CVE-2021-33574ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574Kuralamudhan Ramakrishnankuralamudhan.ramakrishnan@intel.com
LowNoApproved
CVE-2019-19814ICNUbuntu 20.04https://ubuntu.com/security/CVE-2019-19814kuralamudhan.ramakrishnan@intel.com
LowNoApproved

CVE-2021-35942

ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-35942kuralamudhan.ramakrishnan@intel.com

Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this.  lsb_release -a; dpkg -l libc6 output:

Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version         Architecture Description
+++-==============-===============-============-=================================
ii  libc6:amd64    2.31-0ubuntu9.7 amd64        GNU C Library: Shared libraries
LowYesApproved
KHV044ELIOT - IOTGateway


khemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 


Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,



Approved
KHV044EALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 


Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,



Approved
CAP_NET_RAWEALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/


For this BP, execption is approved in last release. plz refer last release exeception list

Release 5 Blueprint Scanning Status



Approved
CVE-2017-12194IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2017-12194ysemi ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l libspice-server1:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server side of the SPICE protocol

MediumNoApproved 
CVE-2018-12892IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2018-12892rd-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l | grep xen

ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen


MediumNoApproved
CVE-2019-17113IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-17113ysemi ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l libopenmpt-modplug1

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library


MediumNoApproved
CVE-2019-19948IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19948rd-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

LowNoApproved
CVE-2019-19949IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19949ysemi ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)


LowNoApproved
KHV043EALTEdge - Enterprise application on 5G light weight telco edge


khemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.




KHV043ELIOT - IOT Gateway


khemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.





  • No labels