CVE-2016-1585

inoue.reo@fujitsu.com

CVE-2017-18201

inoue.reo@fujitsu.com

CVE-2017-7827

inoue.reo@fujitsu.com

CVE-2018-5090

Reported fixed in 58 and later version (installed), but still reported by Vuls

CVE-2018-5126

Reported fixed in 58 and later version (installed), but still reported by Vuls

CVE-2018-5145

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

CVE-2018-5151

Reported fixed in 60 and later version (installed), but still reported by Vuls

CVE-2019-17041

CVE-2019-17042

CVE-2021-31870

CVE-2021-31872

CVE-2021-31873

CVE-2021-39713

CVE-2022-23852

CVE-2022-23990

CVE-2022-25235

CVE-2022-25236

CVE-2022-25315

CVE-2016-9180

CVE-2019-20433

CVE-2005-2541

CVE-2014-2830

CVE-2016-1585

CVE-2017-17479

CVE-2017-9117

CVE-2018-13410

CVE-2019-1010022

CVE-2019-8341

CVE-2020-27619

CVE-2021-29462

CVE-2021-29921

CVE-2021-30473

CVE-2021-30474

CVE-2021-30475

CVE-2021-30498

CVE-2021-30499

CVE-2021-42377

CVE-2021-45951

CVE-2021-45952

CVE-2021-45953

CVE-2021-45954

CVE-2021-45955

CVE-2021-45956

CVE-2022-23303

CVE-2022-23304

CVE-2021-4048

CVE-2021-43400

CVE-2021-35942

Vendor status is "Released" and ICN is using the referenced glibc version, however vuls is still reporting this.  lsb_release -a; dpkg -l libc6 output:

Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal
No LSB modules are available.
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version         Architecture Description
+++-==============-===============-============-=================================
ii  libc6:amd64    2.31-0ubuntu9.7 amd64        GNU C Library: Shared libraries

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 

Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our ELIOT IOT Gateway BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,

KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

Calico pod is running in privileged Mode. 

Exception Reason: Calico deployed by manifest file, can not be set to non privileged mode.

Here is a link regarding the Calico Privilege Mode issue.
“Replace Kubernetes privileged=true with more precise permissions”

It seems after long time they have make option to disable recently but only if calico deployed with Calic Operator.
And there is a doc about non-priviledged use of running Calico node for operator only.

In our EALTEdge BP, it is deployed by calico.yaml file.
and with manifest file, they don't support to disable it.

So due to Calico limitation, and our ustream project dependency on calico.yaml manifest file, we can not fix it.

IN future, we can ask the upstream EdgeGallery community to use calico operator for deployment and if they use operator, then it will be able to fix in our BPs,

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/

For this BP, execption is approved in last release. plz refer last release exeception list

Release 5 Blueprint Scanning Status

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l libspice-server1:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libspice-server1:arm64 0.14.0-1ubuntu2.1 arm64 Implements the server side of the SPICE protocol

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l | grep xen

ii libxen-4.9:arm64 4.9.2-0ubuntu1 arm64 Public libs for Xen
ii libxen-dev:arm64 4.9.2-0ubuntu1 arm64 Public headers and libs for Xen
ii libxenstore3.0:arm64 4.9.2-0ubuntu1 arm64 Xenstore communications library for Xen

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

sudo dpkg -l libopenmpt-modplug1

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================================-===============================-===============================-================================================================================================================
ii libopenmpt-modplug1:arm64 0.3.6-1 arm64 module music library based on OpenMPT -- modplug compat library

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

lsb_release -a :

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

dpkg -l | grep magick

ii imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.12 all image manipulation programs -- infrastructure
ii libmagickcore-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 low-level image manipulation library -- quantum depth Q16
ii libmagickwand-6.q16-3:arm64 8:6.9.7.4+dfsg-16ubuntu6.12 arm64 image manipulation library -- quantum depth Q16

magick -version:

Version: ImageMagick 7.1.0-33 beta Q16-HDRI aarch64 a2b2c088f:20220430 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype lzma pangocairo png x xml zlib
Compiler: gcc (7.5)

Issue: KHV043 - Cluster Health Disclosure

Issue description:

 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.

Suggested Remediation: 

Disable --enable-debugging-handlers kubelet flag.

Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.

Approved

Note: Approved for incubation only

Issue: KHV043 - Cluster Health Disclosure

Issue description:

 The kubelet is leaking it’s health information, which may contain sensitive information, via the /healthz endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.

Suggested Remediation: 

Disable --enable-debugging-handlers kubelet flag.

Exception Reason:

With current analysis, the above solution to fix this issue is causing impact on basic commands. 
Like after disabling this flag, we can not do logs and exec cmd for any container in the cluster, which is required for users to check their workload.

if disable kubelet debug flags, then it is not possible to see the logs of any pods Or do exec cmds.
So after disabling this flag, kubectl "logs" & "exec" cmd is not working.

Currently this issue can not be fixed with the provided solution. 
We request an exception for this issue for release 6.

Approved

Note: Approved for incubation only