GHSA-hgv6-w7r3-w4qw

Source

https://github.com/advisories/GHSA-hgv6-w7r3-w4qw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hgv6-w7r3-w4qw/GHSA-hgv6-w7r3-w4qw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hgv6-w7r3-w4qw

Aliases

GO-2023-1804

Related

Published

2023-05-30T20:07:06Z

Modified

2024-08-20T20:59:06.883002Z

Summary

Kyverno vulnerable due to usage of insecure cipher

Details

Summary

Insecure 3DES ciphers are used which may lead to exploitation of the Sweet32 vulnerability. Specifically, the ciphers TLSECDHERSAWITH3DESEDECBCSHA (secp256r1) and TLSRSAWITH3DESEDECBC_SHA (rsa 2048) are allowed. See CVE-2016-2183. This is fixed in Kyverno v1.9.5 and v1.10.0 and no known users have been affected.

Details

The ciphers in affected versions can be read using the following command which uses nmap:

$ kubectl exec -it mypod -n kyverno sh 
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
**nmap -sV --script ssl-enum-ciphers -p 443 kyverno-cleanup-controller** or  
**nmap -sV --script ssl-enum-ciphers -p 443 kyverno-svc**
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 10:55 UTC
Nmap scan report for kyverno-cleanup-controller (10.103.199.233)
Host is up (0.000058s latency).
rDNS record for 10.103.199.233: kyverno-cleanup-controller.kyverno.svc.cluster.local

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
**|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C**
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
**|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C**
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-30T20:07:06Z"
}

References

Affected packages

Go / github.com/kyverno/kyverno

Package

Name: github.com/kyverno/kyverno; View open source insights on deps.dev
Purl: pkg:golang/github.com/kyverno/kyverno

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.5