Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS and Cipher vulnerabilities reported in seldon webhook #4923

Open
chidambaranathan-r opened this issue Jun 16, 2023 · 4 comments
Open

TLS and Cipher vulnerabilities reported in seldon webhook #4923

chidambaranathan-r opened this issue Jun 16, 2023 · 4 comments
Assignees
@ukclivecox
Labels
v1
Projects
1.17.0

Comments

@chidambaranathan-r
Copy link

Describe the bug

We found below vulnerabilities while scanning seldon core 1.16.0 deployed on Kubernetes 1.24.X version using Tenable-SC

Issue 1:

TLS version 1.0 and 1.1 protocol detection in webhook port of seldon

Plugin ID: 104743
Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

Plugin ID: 121010
Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.

Issue 2:

SSL Medium strength cipher suites supported (SWEET32) in webhook port of seldon

Plugin ID: 42873
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name                          Code             KEX           Auth     Encryption             MAC
---------------------        ----------       ---           ----     ---------------------  ---
ECDHE-RSA-DES-CBC3-SHA 0xC0, 0x12 ECDH RSA 3DES-CBC(168) SHA1
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1

The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

We looked at the seldon core operator code and could not find any configuration to set the minimum TLS version.
Could you please guide us on the above so that we can set the minimum TLS version >=1.2?

To reproduce

  1. Install seldon core
  2. Scan with Tenable-SC tool or any other tool that can detect TLS version anomalies.

Expected behaviour

There should be a configuration option that allows to configure the minimum TLS version and cipher suites

Environment

K8s 1.24
@ukclivecox
Copy link
Contributor

The certificate for webhooks is generated via the genCA function in Helm ( see here ) which itself uses the Sprig library.

We would recommend asking for updates via these contributors but for production settings you should use tools such as certManager which can generate the required Secret.

@ramanNarasimhan77
Copy link

ramanNarasimhan77 commented Jun 19, 2023
edited

@cliveseldon
Our understanding is that this is related to configuration of TLSOpts for Seldon webhook and not how the certificate is generated.

See TLSOpts

If nothing is set, then it defaults to TLS 1.0
Flow of control:
Server start
calls
tlsVersion

@ukclivecox ukclivecox reopened this Jun 19, 2023
@ukclivecox ukclivecox added the v1 label Jun 19, 2023
@ukclivecox
Copy link
Contributor

Options to set this are exposed by this PR in controller-runtime.
This became available in 0.13.1 of controller-runtime so would need to upgrade to this version and expose envar/command line args to allow this value(s) to be set.

@ukclivecox ukclivecox removed the bug label Jun 19, 2023
@ukclivecox ukclivecox added this to To do in 1.17.0 via automation Jun 20, 2023
@ukclivecox ukclivecox self-assigned this Jun 20, 2023
@chidambaranathan-r
Copy link
Author

@cliveseldon
Actually, this is added as "To do" for 1.17.0
Any plans to consider this in upcoming releases?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ukclivecox ukclivecox

Labels
v1
Projects
1.17.0
To do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chidambaranathan-r @ukclivecox @ramanNarasimhan77