Hello,
During a recent security scan, we identified multiple vulnerabilities related to OpenSSL in the MicroK8s Core20 snaps. These vulnerabilities are still present and have not been addressed in the latest release. Given the critical nature of OpenSSL in ensuring secure communications and overall system integrity, it is crucial to address these issues promptly.
Details:
- Vulnerabilities Identified: [ CVE-2016-2183, CVE-2020-1967, CVE-2021-23840, CVE-2021-3450, CVE-2021-3711, CVE-2021-3712, CVE-2022-0778, CVE-2022-1292, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-4807 ]
- Current Version Affected: [ MicroK8s 1.28 and Microk8s Core20 --edge snaps]
- Scanning Tool Used: [ Kenna ]
These 6 vulnerabilities have above CVSS score of 7 and mentioned the path of the environment that vulnerabilities have
CVE-2022-1292 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2023-0464 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2022-4450 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2023-0215 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2020-1967 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2022-0778 - Path : /snap/core20/2361/usr/bin/openssl
And also tried to remove the mentioned files from the environment but that file can't be removed as it is used by microk8s.
These vulnerabilities can potentially be exploited, leading to unauthorized access, data breaches, and other security risks. It is important to maintain the security and trustworthiness of the MicroK8s environment.
Could you please provide information on the planned or ongoing solutions to address these OpenSSL vulnerabilities? If there are any workarounds or immediate steps that can be taken to mitigate these issues, please share them with the community.
Best regards,
Imalka
Hello,
During a recent security scan, we identified multiple vulnerabilities related to OpenSSL in the MicroK8s Core20 snaps. These vulnerabilities are still present and have not been addressed in the latest release. Given the critical nature of OpenSSL in ensuring secure communications and overall system integrity, it is crucial to address these issues promptly.
Details:
- Vulnerabilities Identified: [ CVE-2016-2183, CVE-2020-1967, CVE-2021-23840, CVE-2021-3450, CVE-2021-3711, CVE-2021-3712, CVE-2022-0778, CVE-2022-1292, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-4807 ]
- Current Version Affected: [ MicroK8s 1.28 and Microk8s Core20 --edge snaps]
- Scanning Tool Used: [ Kenna ]
These 6 vulnerabilities have above CVSS score of 7 and mentioned the path of the environment that vulnerabilities have
CVE-2022-1292 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2023-0464 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2022-4450 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2023-0215 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2020-1967 - Path : /snap/core20/2361/usr/bin/openssl
CVE-2022-0778 - Path : /snap/core20/2361/usr/bin/openssl
And also tried to remove the mentioned files from the environment but that file can't be removed as it is used by microk8s.
These vulnerabilities can potentially be exploited, leading to unauthorized access, data breaches, and other security risks. It is important to maintain the security and trustworthiness of the MicroK8s environment.
Could you please provide information on the planned or ongoing solutions to address these OpenSSL vulnerabilities? If there are any workarounds or immediate steps that can be taken to mitigate these issues, please share them with the community.
Best regards,
Imalka