Blueprints that have vulnerabilities with a CVSS score >= 9.0 and meet the following criteria should submit their information in the chart below to have the vulnerability considered for an exception:
CVE/KHV # | Blueprint | Blueprint OS/Ver | URL Showing OS Patch Not Available | Contact Name | Contact Email | Comment | Vendor CVSS Score | Vendor Patch Available | Exception Status |
---|
CVE-2016-1585 |
Smart Data Transaction for CPS | Ubuntu 20.04ubuntu.com/securityColin Peters | colin.peters@fujitsuMedium | 202120236Smart Data Transaction for CPS | Ubuntu 20.04ubuntu.com/security202120236Colin Peterscolinpeters@fujitsuMedium | 202131870Smart Data Transaction for CPS | Ubuntu 20.04ubuntu.com/security202131870Colin Peterscolinpeters@fujitsuLow | No | Approved | CVE-2021-31872 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-31872 | | colin.peters@fujitsu.com | Low | No | Approved | CVE-2021-31873 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-31873 | | colin.peters@fujitsu.com | Low | No | Approved | CVE-2021-33574 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-33574 | | colin.peters@fujitsu.com | Low | No | Approved | CVE-2021-45951 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45951 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45952 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45952 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45953 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45953 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45954 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45954 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45955 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45955 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45956 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45956 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2021-45957 | Smart Data Transaction for CPS | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-45957 | | colin.peters@fujitsu.com | Medium | No | Approved | CVE-2022-23218 | Smart Data Transaction for CPS | Ubuntu 20202223218Colin Peterscolinpeters@fujitsuLow | Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.202223219Smart Data Transaction for CPS | Ubuntu 20202223219Colin Peterscolinpeters@fujitsuReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.20169180Smart Data Transaction for CPS | Ubuntu 2020169180Colin Peterscolinpeters@fujitsuLow202135942Smart Data Transaction for CPS | Ubuntu 20202135942Colin Peterscolinpeters@fujitsu
Image RemovedLow | Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls. | 2016158520161585201718201201718201Low20177827201778272018509020185090Medium | Reported fixed in 58 and later version (installed), but still reported by Vuls2018512620185126Medium | Reported fixed in 58 and later version (installed), but still reported by Vuls2018514520185145Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls | Approved | CVE-2018-515120185151Reported fixed in 60 and later version (installed), but still reported by Vuls201917041201917041Low201917042201917042Low202131870202131870202131872202131872202131873202131873202139713 18202139713Low
| Medium | No | Approved |
CVE-2022- |
23852 1823852202223990Robot basic architecture based on SSES | Ubuntu 18202223990 | inoue.reo@fujitsu.com |
| Medium | No | Approved |
CVE-2022- |
25235Robot basic architecture based on SSES | Ubuntu 1825235 | inoue.reo@fujitsuHigh
| Medium | No | Approved |
CVE-2022- |
25236Robot basic architecture based on SSES | Ubuntu 1825236 | inoue.reo@fujitsuHigh
| Medium | No | Approved |
CVE-2022- |
25315Robot basic architecture based on SSES | Ubuntu 1825315 | inoue.reo@fujitsu20169180Robot basic architecture based on SSES | Ubuntu 1820169180 | inoue.reo@fujitsu.com | Low201920433Robot basic architecture based on SSES | Ubuntu 18.04 | https://ubuntu.com/security/CVE-2019-20433 | | inoue.reo@fujitsu.com | Low | No20052541Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2005-2541 | | inoue.reo@fujitsu.com | High | No | 2830Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2014-2830 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2016-1585 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2016-1585 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2017-17479 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2017-17479 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2017-9117 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2017-9117 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2018-13410 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2018-13410 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2019-1010022 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2019-1010022 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2019-8341 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2019-8341 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2020-27619 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2020-27619 | | inoue.reo@fujitsu.com | High | Approved | CVE-2021-29462 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-29462 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-29921 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-29921 | | inoue.reo@fujitsu.com | High | Reported fixed in python3.9 (installed), but still reported by Vuls | Approved | CVE-2021-30473 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-30473 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-30474 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-30474 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-30475 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-30475 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-30498 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-30498 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-30499 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-30499 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-42377 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-42377 | | inoue.reo@fujitsu.com | Medium | No | Approved | CVE-2021-45951 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45951 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-45952 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45952 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-45953 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45953 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-45954 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45954 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-45955 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45955 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2021-45956 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-45956 | | inoue.reo@fujitsu.com | High | No | Approved | CVE-2022-23303 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2022-23303 | | inoue.reo@fujitsu.com | Medium | No | Approved | CVE-2022-23304 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2022-23304 | | inoue.reo@fujitsu.com | Medium | No | Approved | CVE-2021-4048 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-4048 | | inoue.reo@fujitsu.com | Medium | No | Approved | CVE-2021-43400 | Robot basic architecture based on SSES | Raspberry Pi OS(Debian 11) | https://security-tracker.debian.org/tracker/CVE-2021-43400 | | inoue.reo@fujitsu.com | Medium | No | Approved | CVE-2021-33574 | ICN | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-33574 | Kuralamudhan Ramakrishnan | kuralamudhan.ramakrishnan@intel.com | Low | No | Approved | CVE-2019-19814 | ICN | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2019-19814 | | kuralamudhan.ramakrishnan@intel.com | Low | No | Approved | CVE-2021-35942 | ICN | Ubuntu 20.04 | https://ubuntu.com/security/CVE-2021-35942 | | kuralamudhan.ramakrishnan@intel.com | Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this. lsb_release -a; dpkg -l libc6 output: Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-=================================
ii libc6:amd64 2.31-0ubuntu9.7 amd64 GNU C Library: Shared libraries | Low | Yes | Approved |
KHV044 | ELIOT - IOTGateway | khemendra.kumar@huawei.com | KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.
Calico pod is running in privileged Mode.
Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.
Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”
It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.
In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.
So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.
IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,
Approved | KHV044 | EALTEdge - Enterprise application on 5G light weight telco edge | khemendra.kumar@huawei.com | KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.
Calico pod is running in privileged Mode.
Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.
Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”
It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.
In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.
So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.
IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,
Approved | CAP_NET_RAW | EALTEdge - Enterprise application on 5G light weight telco edge | khemendra.kumar@huawei.com | CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/
For this BP, execption is approved in last release. plz refer last release exeception list
Release 5 Blueprint Scanning Status
Approved | CVE-2017-12194 | IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family | Ubuntu 18.04 | https://ubuntu.com/security/cve-2017-12194 | Ysemi | rd-sw@ysemi.cn | lsb_release -a : No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic
dpkg -l libspice-server1: Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=====================================================-===============================-===============================-================================================================================================================ ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server side of the SPICE protocol
| Medium | No | Approved |
CVE-2018-12892 | IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family | Ubuntu 18.04 | https://ubuntu.com/security/cve-2018-12892 | | rd-sw@ysemi.cn | lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
sudo dpkg -l | grep xen
ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen
Medium | No | Approved | CVE-2019-17113 | IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family | Ubuntu 18.04 | https://ubuntu.com/security/cve-2019-17113 | Ysemi | rd-sw@ysemi.cn | lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
sudo dpkg -l libopenmpt-modplug1
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library
Medium | No | Approved | CVE-2019-19948 | IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family | Ubuntu 18.04 | https://ubuntu.com/security/cve-2019-19948 | | rd-sw@ysemi.cn | lsb_release -a : No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic dpkg -l | grep magick ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16 ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16
magick -version: Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP(4.5) Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib Compiler: gcc (7.5) | Low | No | Approved |
CVE-2019-19949 | IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family | Ubuntu 18.04 | https://ubuntu.com/security/cve-2019-19949 | Ysemi | rd-sw@ysemi.cn | lsb_release -a :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
dpkg -l | grep magick
ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16
magick -version:
Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)
Low | No | Approved | KHV043 | EALTEdge - Enterprise application on 5G light weight telco edge | khemendra.kumar@huawei.com | Issue: KHV043 - Cluster Health Disclosure Issue description:Disable --enable-debugging-handlers kubelet flag.Exception Reason:With current analysis, the above solution to fix this issue is causing impact on basic commands. Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload. if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds. So after disabling this flag, kubectl "logs" & "exec" cmd is not working. Currently this issue can not be fixed with the provided solution. We request an exception for this issue for release 6. | Approved Note: Approved for incubation only | KHV043 | ELIOT - IOT Gateway | khemendra.kumar@huawei.com | Issue: KHV043 - Cluster Health Disclosure Issue description:Disable --enable-debugging-handlers kubelet flag.Exception Reason:With current analysis, the above solution to fix this issue is causing impact on basic commands. Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload. if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds. So after disabling this flag, kubectl "logs" & "exec" cmd is not working. Currently this issue can not be fixed with the provided solution. We request an exception for this issue for release 6. | Approved
Note: Approved for incubation only