Versions Compared

Old Version 1

changes.mady.by.user Daniil Egranov

Saved on

compared with

New Version Current

changes.mady.by.user Daniil Egranov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1.6.1+dfsg.3-2ubuntu1

Blueprints that have vulnerabilities with a CVSS score >= 9.0 and meet the following criteria should submit their information in the chart below to have the vulnerability considered for an exception:

  • Running at least the minimum OS version required by the Akraino Security Sub-Committee
    • Ubuntu
    • CentOS
    • Debian
    • Fedora
    • Suse Enterprise Server

Legend

Ubuntu Priority/Score Descriptions

Not VulnerablePackages which do not exist in the archive, are not affected by the vulnerability or have a fix applied in the archive.
PendingA fix has been applied and updated packages are awaiting arrival into the archive. For example, this might be used when wider testing is requested for the updated package.
UnknownOpen vulnerability where the priority is currently unknown and needs to be triaged.
NegligibleOpen vulnerability that may be a problem but otherwise does not impose a security risk due to various factors. Examples include when the vulnerability is only theoretical in nature, requires a very special situation, has almost no install base or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update.
LowOpen vulnerability that is a problem but does very little damage or is otherwise hard to exploit due to small user base or other factors such as requiring specific environment, uncommon configuration, user assistance, etc. These tend to be included in security updates only when higher priority issues require an update or if many low priority issues have built up.
MediumOpen vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.
HighOpen vulnerability that is a real problem and is exploitable for many users in the default configuration of the affected software. Examples include serious remote denial of service of the system, local root privilege escalations or local data theft.
CriticalOpen vulnerability that is a world-burning problem and is exploitable for most Ubuntu users. Examples include remote root privilege escalations or remote data theft.


CVE/KHV #BlueprintBlueprint OS/VerURL Showing OS Patch Not AvailableContact NameContact EmailCommentVendor CVSS ScoreVendor Patch AvailableException Status

CVE-2016-1585

Smart Data Transaction for CPS

Robot basic architecture based on SSES

Raspberry Pi OS(Debian 11)
Ubuntu 20.04
https://
ubuntu.com/security
security-tracker.debian.org/tracker/CVE-2016-1585
Colin Peters

Inoue Reo 

inoue.reo@fujitsu
colin.peters@fujitsu
.com
Medium


NoApproved

CVE-

2021

2017-

20236Smart Data Transaction for CPS

18201

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)
Ubuntu 20.04
https://
ubuntu.com/security
security-tracker.debian.org/tracker/CVE-
2021
2017-
20236
17479
Colin Peters

Inoue Reo

colin
inoue.
peters@fujitsu
reo@fujitsu.com
Medium


NoApproved
CVE-
2021
2019-
31870Smart Data Transaction for CPS
17041 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)
Ubuntu 20.04
https://
ubuntu.com/security
security-tracker.debian.org/tracker/CVE-
2021
2019-
31870
17041
Colin Peters
Inoue Reo
colin
inoue.
peters@fujitsu
reo@fujitsu.com
LowNoApprovedCVE-2021-31872Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31872

Colin Peters

colin.peters@fujitsu.comLowNoApprovedCVE-2021-31873Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-31873

Colin Peters

colin.peters@fujitsu.comLowNoApprovedCVE-2021-33574Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574

Colin Peters

colin.peters@fujitsu.comLowNoApprovedCVE-2021-45951Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45951

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45952Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45952

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45953Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45953

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45954Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45954

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45955Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45955

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45956Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45956

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2021-45957Smart Data Transaction for CPSUbuntu 20.04https://ubuntu.com/security/CVE-2021-45957

Colin Peters

colin.peters@fujitsu.comMediumNoApprovedCVE-2022-23218Smart Data Transaction for CPS

Please add to the "Vendor Patch Available" column output from the following commands:

lsb_release -a
dpkg -l | grep <package name associated with CVE>


I installed a later version of the software than the version that has been fixed for CVE.


$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

$ dpkg -l |grep rsyslog
ii  rsyslog                              8.2102.0-2+deb11u1               arm64        reliable system and kernel logging daemon

Approved
CVE-2019-17042 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-17042Inoue Reoinoue.reo@fujitsu.com

Please add to the "Vendor Patch Available" column output from the following commands:

lsb_release -a
dpkg -l | grep <package name associated with CVE>


I installed a later version of the software than the version that has been fixed for CVE.


$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

$ dpkg -l |grep rsyslog
ii  rsyslog                              8.2102.0-2+deb11u1               arm64        reliable system and kernel logging daemon

Approved
CVE-2022-3649 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-3649Inoue Reoinoue.reo@fujitsu.com

NoApproved
CVE-2019-20433 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-20433Inoue Reoinoue.reo@fujitsu.com

NoApproved
CVE-2022-24303 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-24303Inoue Reoinoue.reo@fujitsu.com

NoApproved
CVE-2022-39319 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-39319

Inoue Reo

inoue.reo@fujitsu.com

No
CVE-2022-41877 Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-41877Inoue Reoinoue.reo@fujitsu.com

NoApproved

CVE-2016-1585

Robot basic architecture based on SSESUbuntu 18
Ubuntu 20
.04https://ubuntu.com/security/CVE-
2022
2016-
23218
1585
Colin Peters

Inoue Reo

colin
inoue.
peters@fujitsu
reo@fujitsu.com
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.

MediumNoApproved
CVE-
2022
2017-
23219Smart Data Transaction for CPS
18201Robot basic architecture based on SSESUbuntu 18
Ubuntu 20
.04https://ubuntu.com/security/CVE-
2022
2017-
23219
18201
Colin Peters

Inoue Reo

colin
inoue.
peters@fujitsu
reo@fujitsu.com
Low
Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.
NoApproved
CVE-
2016
2017-
9180Smart Data Transaction for CPS
7827Robot basic architecture based on SSESUbuntu 18
Ubuntu 20
.04https://ubuntu.com/security/CVE-
2016
2017-
9180
7827
Colin Peters

Inoue Reo

colin
inoue.
peters@fujitsu
reo@fujitsu.com
Low

MediumNoApproved
CVE-
2021
2018-
35942Smart Data Transaction for CPS
5090Robot basic architecture based on SSESUbuntu 18
Ubuntu 20
.04https://ubuntu.com/security/CVE-
2021
2018-
35942
5090
Colin Peters

Inoue Reo

colin
inoue.
peters@fujitsu
reo@fujitsu.com
Image Removed

Medium
LowReported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls.
NoApproved
CVE-
2016
2018-
1585
5126Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2016
2018-
1585
5126

Inoue Reo

inoue.reo@fujitsu.com
MediumNoApproved
CVE-
2017
2018-
18201
5145Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2017
2018-
18201
5145

Inoue Reo

inoue.reo@fujitsu.com
Low

MediumNoApproved
CVE-
2017
2018-
7827
5151Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2017
2018-
7827
5151

Inoue Reo

inoue.reo@fujitsu.com
MediumNoApproved
CVE-
2018
2019-
5090
17041Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2018
2019-
5090
17041

Inoue Reo

inoue.reo@fujitsu.com
MediumReported fixed in 58 and later version (installed), but still reported by Vuls

LowNoApproved
CVE-
2018
2019-
5126
17042Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2018
2019-
5126
17042

Inoue Reo

inoue.reo@fujitsu.com
MediumReported fixed in 58 and later version (installed), but still reported by Vuls

LowNoApproved
CVE-
2018
2022-
5145
0318Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2018
2022-
5145
0318

Inoue Reo

inoue.reo@fujitsu.com
Medium

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

Approved
NoApproved
CVE-2022-3649
CVE-2018-5151
Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2018
2022-
5151
3649

Inoue Reo

inoue.reo@fujitsu.com
Medium
Reported fixed in 60 and later version (installed), but still reported by Vuls
NoApproved
CVE-
2019
2022-
17041
3890Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2019
2022-
17041
3890

Inoue Reo

inoue.reo@fujitsu.com
Low

MediumNoApproved
CVE-
2019
2022-
17042
4135Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2019
2022-
17042
4135

Inoue Reo

inoue.reo@fujitsu.com
Low

MediumNoApproved
CVE-
2021
2016-
31870
9180Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2021
2016-
31870
9180

Inoue Reo

inoue.reo@fujitsu.com
LowNoApproved
CVE-
2021
2019-
31872
20433Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2021
2019-
31872
20433

Inoue Reo

inoue.reo@fujitsu.com
LowNoApproved
CVE-
2021
2022-
31873
24303Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-
2021
2022-
31873
24303

Inoue Reo

inoue.reo@fujitsu.com
LowNoApproved
CVE-
2021
2016-
39713
1585Robot basic architecture based on SSESUbuntu
18
22.04https://ubuntu.com/security/CVE-
2021
2016-
39713
1585

Inoue Reo

inoue.reo@fujitsu.com
Low

MediumNoApproved
CVE-2022-
23852
3649Robot basic architecture based on SSESUbuntu
18
22.04https://ubuntu.com/security/CVE-2022-
23852
3649

Inoue Reo

inoue.reo@fujitsu.com
MediumNoApproved
CVE-
2022
2016-
23990Robot basic architecture based on SSES
1585Smart Data Transaction for CPSUbuntu 20
Ubuntu 18
.04https://ubuntu.com/security/CVE-
2022
2016-
23990

Inoue Reo

1585

Colin Peters 

colin.peters@fujitsu
inoue.reo@fujitsu
.com
MediumNoApproved
CVE-2022-
25235Robot basic architecture based on SSES
0318Smart Data Transaction for CPSUbuntu 20
Ubuntu 18
.04https://ubuntu.com/security/CVE-2022-
25235

Inoue Reo

0318

Colin Peters 

colin.peters@fujitsu
inoue.reo@fujitsu
.com
High

MediumNoApproved
CVE-2022-
25236Robot basic architecture based on SSES
3643Smart Data Transaction for CPSUbuntu 20
Ubuntu 18
.04https://ubuntu.com/security/CVE-2022-
25236

Inoue Reo

3643

Colin Peters 

colin.peters@fujitsu
inoue.reo@fujitsu
.com
High

MediumNoApproved
CVE-2022-
25315Robot basic architecture based on SSES
3649Smart Data Transaction for CPSUbuntu 20
Ubuntu 18
.04https://ubuntu.com/security/CVE-2022-
25315

Inoue Reo

3649

Colin Peters 

colin.peters@fujitsu
inoue.reo@fujitsu
.com
MediumNoApproved
CVE-
2016
2022-
9180Robot basic architecture based on SSES
44640IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 20
Ubuntu 18
.04https://ubuntu.com/security/CVE-
2016
2022-
9180

Inoue Reo

inoue.reo@fujitsu.com
44640jin peng jinpeng@socnoc.ai
Medium
Low
NoApproved

CVE-

2019

2022-

20433Robot basic architecture based on SSESUbuntu 18.04https://ubuntu.com/security/CVE-2019-20433

Inoue Reo

inoue.reo@fujitsu.comLow

37434

CFN (Computing Force Network) Ubiquitous Computing Force Scheduling - Akraino - Akraino ConfluenceCentoOS 7.6CVE-2022-37434- Red Hat Customer Portal

hanyu ding 

dinghanyu@chinamobile.com

13366022056@163.com 


9.8Not fixed in centos 7.x
No
Approved
CVE-
2005
2015-
2541Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2005-2541

Inoue Reo

inoue.reo@fujitsu.comHighNo
4042CFN (Computing Force Network) Ubiquitous Computing Force Scheduling - Akraino - Akraino ConfluenceCentoOS 7.6CVE-2015-4042- Red Hat Customer Portalhanyu ding 

dinghanyu@chinamobile.com

13366022056@163.com 


9.8Not fixed yet in centos 7.xApproved
CVE-2014-
2830Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2014-2830

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2016-1585

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2016-1585

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2017-17479

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-17479

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2017-9117

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2017-9117

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2018-13410

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2018-13410

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2019-1010022

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-1010022

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2019-8341

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2019-8341

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2020-27619

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2020-27619

Inoue Reo

inoue.reo@fujitsu.comHighApproved

CVE-2021-29462

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29462

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-29921

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-29921

Inoue Reo

inoue.reo@fujitsu.comHighReported fixed in python3.9 (installed), but still reported by VulsApproved

CVE-2021-30473

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30473

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-30474

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30474

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-30475

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30475

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-30498

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30498

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-30499

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-30499

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-42377

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-42377

Inoue Reo

inoue.reo@fujitsu.comMediumNoApproved

CVE-2021-45951

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45951

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-45952

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45952

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-45953

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45953

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-45954

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45954

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-45955

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45955

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2021-45956

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-45956

Inoue Reo

inoue.reo@fujitsu.comHighNoApproved

CVE-2022-23303

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23303

Inoue Reo

inoue.reo@fujitsu.comMediumNoApproved

CVE-2022-23304

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2022-23304

Inoue Reo

inoue.reo@fujitsu.comMediumNoApproved

CVE-2021-4048

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-4048

Inoue Reo

inoue.reo@fujitsu.comMediumNoApproved

CVE-2021-43400

Robot basic architecture based on SSESRaspberry Pi OS(Debian 11)https://security-tracker.debian.org/tracker/CVE-2021-43400

Inoue Reo

inoue.reo@fujitsu.comMediumNoApprovedCVE-2021-33574ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-33574Kuralamudhan Ramakrishnankuralamudhan.ramakrishnan@intel.comLowNoApprovedCVE-2019-19814ICNUbuntu 20.04https://ubuntu.com/security/CVE-2019-19814

Kuralamudhan Ramakrishnan

kuralamudhan.ramakrishnan@intel.comLowNoApproved

CVE-2021-35942

ICNUbuntu 20.04https://ubuntu.com/security/CVE-2021-35942

Kuralamudhan Ramakrishnan

kuralamudhan.ramakrishnan@intel.com

Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this.  lsb_release -a; dpkg -l libc6 output:

Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version         Architecture Description
+++-==============-===============-============-=================================
ii  libc6:amd64    2.31-0ubuntu9.7 amd64        GNU C Library: Shared libraries
LowYesApprovedKHV044ELIOT - IOTGatewaykhemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 

Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,

ApprovedKHV044EALTEdge - Enterprise application on 5G light weight telco edgekhemendra.kumar@huawei.com

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 

Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
Replace Kubernetes privileged=true with more precise permissions

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,

ApprovedCAP_NET_RAWEALTEdge - Enterprise application on 5G light weight telco edgekhemendra.kumar@huawei.com

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/

For this BP, execption is approved in last release. plz refer last release exeception list

Release 5 Blueprint Scanning Status

ApprovedCVE-2017-12194IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2017-12194Ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l libspice-server1:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server side of the SPICE protocol

MediumNoApproved CVE-2018-12892IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2018-12892

Ysemi

rd-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l | grep xen

ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen

MediumNoApprovedCVE-2019-17113IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-17113Ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l libopenmpt-modplug1

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library

9939 CFN (Computing Force Network) Ubiquitous Computing Force Scheduling - Akraino - Akraino ConfluenceCentoOS 7.6CVE-2014-9939- Red Hat Customer Portalhanyu ding 

dinghanyu@chinamobile.com

13366022056@163.com 


9.8Not fixed yet in centos 7.xApproved
MediumNoApprovedCVE-2019-19948IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19948

Ysemi

rd-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

LowNoApprovedCVE-2019-19949IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint FamilyUbuntu 18.04https://ubuntu.com/security/cve-2019-19949Ysemird-sw@ysemi.cn

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

LowNoApprovedKHV043EALTEdge - Enterprise application on 5G light weight telco edgekhemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.

Approved

Note: Approved for incubation only

KHV043ELIOT - IOT Gatewaykhemendra.kumar@huawei.com

IssueKHV043 - Cluster Health Disclosure

Issue description:
 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.
Suggested Remediation: 
Disable --enable-debugging-handlers kubelet flag.
Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.

Approved

Note: Approved for incubation only