Prisma Twistlock Flagging 6 Containerd Vulnerabilities in Flatcar 3510.3.3 LTS

[justdan96]

Name: containerd

CVEs:
CVE-2022-1996
CVE-2023-27561
CVE-2024-21626
CVE-2023-47108
CVE-2023-44487

CVSSs:
CVE-2022-1996 = 9.1
CVE-2023-27561 = 7.0
CVE-2024-21626 = 8.6
CVE-2023-47108 = 7.5
CVE-2023-44487 = 5.3

Action Needed:
These have been flagged by Prisma Twistlock so will likely need some further analysis. If they are false positives that would be good news for us!

Summary:
We have been using Flatcar LTS Kubernetes nodes in our Lab environments. On these environments we are running the security DaemonSet Palo Alto Prisma Twistlock. From Prisma we can see the vulnerabilities flagged above. Here they are in a table format:

CVE ID	Severity	Package Version	Package Path	CVSS	Package URL
CVE-2022-1996	critical	v2.9.5	/run/torcx/unpack/docker/bin/containerd	9.1	pkg:golang/github.com/emicklei/go-restful@v2.9.5
CVE-2023-27561	high	v1.1.2	/run/torcx/unpack/docker/bin/containerd	7.0	pkg:golang/github.com/opencontainers/runc@v1.1.2
CVE-2024-21626	high	v1.1.2	/run/torcx/unpack/docker/bin/containerd	8.6	pkg:golang/github.com/opencontainers/runc@v1.1.2
CVE-2023-47108	high	v0.28.0	/run/torcx/unpack/docker/bin/containerd	7.5	pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.28.0
CVE-2023-44487	high	v0.0.0-20220722155237-a158d28d115b	/run/torcx/unpack/docker/bin/containerd	5.3	pkg:golang/golang.org/x/net@v0.0.0-20220722155237-a158d28d115b
CVE-2023-44487	high	v1.47.0	/run/torcx/unpack/docker/bin/containerd	5.3	pkg:golang/google.golang.org/grpc@v1.47.0

As you can see it delves into Golang dependencies so if these vulnerabilities have been incorrectly flagged then I can just take that information back to our internal security team.

refmap.gentoo: TBD

[tormath1]

Just mentioning what we said in the chat:

so I checked and it looks like, due to the critical aspect, that LTS 3510.3.2 has the runc update: https://www.flatcar.org/releases#release-3510.3.2
FWIW, you can update docker / containerd / runc using sysext image. I would be curious to see if your vulnerability scan show the same result after :

---
variant: flatcar
version: 1.1.0
storage:
  files:
    - path: /etc/extensions/docker.raw
      contents:
        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/docker-24.0.9-x86-64.raw
    - path: /etc/systemd/system-generators/torcx-generator

[justdan96]

Some of this was discussed on Matrix but it was flagged that for CVE-2022-1996, as described in containerd/containerd#7117, the vulnerability only affects CORS which containerd does not use. The runc vulnerabilities CVE-2023-27561 and CVE-2024-21626 seem to affect runc itself and I haven't been able to find if it can affect specifically containerd. CVE-2023-47108 is for DoS with the opentelemetry-go library, and CVE-2023-44487 is a DoS when using HTTP/2. These last two we do not expect to cause any issues as containerd is not exposed for remote access and the attacks would require the attacker to already have access to the local machine.

Overall I think these are fine and we should be able to get exceptions for these detected vulnerabilities.