You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found below vulnerabilities while scanning seldon core 1.16.0 deployed on Kubernetes 1.24.X version using Tenable-SC
Issue 1:
TLS version 1.0 and 1.1 protocol detection in webhook port of seldon
Plugin ID: 104743
Plugin Output: TLSv1 is enabled and the server supports at least one cipher.
Plugin ID: 121010
Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.
Issue 2:
SSL Medium strength cipher suites supported (SWEET32) in webhook port of seldon
Plugin ID: 42873
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
Name Code KEX Auth Encryption MAC
--------------------- ---------- --- ---- --------------------- ---
ECDHE-RSA-DES-CBC3-SHA 0xC0, 0x12 ECDH RSA 3DES-CBC(168) SHA1
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1
The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}
We looked at the seldon core operator code and could not find any configuration to set the minimum TLS version.
Could you please guide us on the above so that we can set the minimum TLS version >=1.2?
To reproduce
Install seldon core
Scan with Tenable-SC tool or any other tool that can detect TLS version anomalies.
Expected behaviour
There should be a configuration option that allows to configure the minimum TLS version and cipher suites
Environment
K8s 1.24
The text was updated successfully, but these errors were encountered:
The certificate for webhooks is generated via the genCA function in Helm ( see here ) which itself uses the Sprig library.
We would recommend asking for updates via these contributors but for production settings you should use tools such as certManager which can generate the required Secret.
Options to set this are exposed by this PR in controller-runtime.
This became available in 0.13.1 of controller-runtime so would need to upgrade to this version and expose envar/command line args to allow this value(s) to be set.
Describe the bug
We found below vulnerabilities while scanning seldon core 1.16.0 deployed on Kubernetes 1.24.X version using Tenable-SC
Issue 1:
TLS version 1.0 and 1.1 protocol detection in webhook port of seldon
Issue 2:
SSL Medium strength cipher suites supported (SWEET32) in webhook port of seldon
We looked at the seldon core operator code and could not find any configuration to set the minimum TLS version.
Could you please guide us on the above so that we can set the minimum TLS version >=1.2?
To reproduce
Expected behaviour
There should be a configuration option that allows to configure the minimum TLS version and cipher suites
Environment
K8s 1.24
The text was updated successfully, but these errors were encountered: