Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-42282 vulnerability in summerwind/actions-runner:latest image Node16 NPM #3756

Open
7 tasks done
davidjoliver86 opened this issue Sep 19, 2024 · 1 comment
Open
7 tasks done

CVE-2023-42282 vulnerability in summerwind/actions-runner:latest image Node16 NPM #3756

davidjoliver86 opened this issue Sep 19, 2024 · 1 comment
Labels
bug Something isn't working community Community contribution needs triage Requires review from the maintainers

Comments

@davidjoliver86
Copy link

Checks

Controller Version

0.27.4

Helm Chart Version

0.23.3

CertManager Version

No response

Deployment Method

ArgoCD

cert-manager installation

Yes to all

Checks

  • This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
  • I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
  • My actions-runner-controller version (v0.x.y) does support the feature
  • I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
  • I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
    argocd.argoproj.io/sync-wave: "2"
  labels:
    argocd.argoproj.io/instance: github-actions-runner-controller
  name: default-runners
  namespace: actions-runner-system
spec:
  effectiveTime: null
  replicas: 1
  selector: null
  template:
    metadata: {}
    spec:
      dockerdContainerResources: {}
      image: ""
      labels:
      - <REDACTED>
      repository: <REDACTED>
      resources:
        limits:
          cpu: "2"
          memory: 5G
status:
  availableReplicas: 1
  desiredReplicas: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

To Reproduce

Deploy a pod with the current summerwind/actions-runner:latest image and run an AWS Inspector scan.

Describe the bug

We run several RunnerDeployment instances across our EKS clusters. AWS Inspector has identified that the current summerwind/actions-runner:latest image (digest 2b12329ec3fbec1ebfae20acdf23c245b3111da89e34fb220af60d255f88a574) is susceptible to CVE-2023-42282. The offending ip package is located in /runnertmp/externalstmp/node16/lib/node_modules/npm/node_modules/ip.

It does appear though that NPM for the node16 distribution can be upgraded up to 9.9.0, which deprecates the ip package entirely.

"packageVulnerabilityDetails": {
    "vulnerabilityId": "CVE-2023-42282",
    "vulnerablePackages": [
      {
        "name": "ip",
        "version": "2.0.0",
        "epoch": 0,
        "packageManager": "NODEPKG",
        "filePath": "vol-0116bc6e09c6e7a4d:/p1:var/lib/kubelet/pods/965ff9d8-b953-4d50-9a92-dca548bc9c35/volumes/kubernetes.io~empty-dir/runner/externals/node16/lib/node_modules/npm/node_modules/ip/package.json",
        "fixedInVersion": "2.0.1"
      }
    ],
    "source": "NVD",
    "cvss": [
      {
        "baseScore": 9.8,
        "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1",
        "source": "NVD"
      }
    ],
    "relatedVulnerabilities": [],
    "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282",
    "vendorSeverity": "CRITICAL",
    "vendorCreatedAt": "2024-02-08T17:15:10.000Z",
    "vendorUpdatedAt": "2024-07-03T22:15:02.000Z",
    "referenceUrls": [
      "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html"
    ]
  }

Describe the expected behavior

Expected no critical vulnerabilities in the latest image.

Whole Controller Logs

This is a bug report of a security vulnerability baked into the image.

Whole Runner Pod Logs

This is a bug report of a security vulnerability baked into the image.

Additional Context

No response
@davidjoliver86 davidjoliver86 added bug Something isn't working community Community contribution needs triage Requires review from the maintainers labels Sep 19, 2024
@github-actions GitHub Actions
Copy link
Contributor

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution needs triage Requires review from the maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davidjoliver86