CVE-2020-25658 and python-rsa

[davidhay1969]

What happened (please include outputs or screenshots):

Security scanners such as Sonatype suggest that : -

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

This ties up with CVE-2020-25658 which has been updated with: -

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

I think that kubernetes/python includes python-rsa ??

Looking at one of my environments via pipdeptree I see : -

...
kubernetes==26.1.0
  - certifi [required: >=14.05.14, installed: 2023.5.7]
  - google-auth [required: >=1.0.1, installed: 2.17.3]
    - cachetools [required: >=2.0.0,<6.0, installed: 5.3.0]
    - pyasn1-modules [required: >=0.2.1, installed: 0.2.1]
    - rsa [required: >=3.1.4,<5, installed: 4.9]
      - pyasn1 [required: >=0.1.3, installed: 0.4.2]
    - six [required: >=1.9.0, installed: 1.14.0]
  - python-dateutil [required: >=2.5.3, installed: 2.8.2]
    - six [required: >=1.5, installed: 1.14.0]
  - pyyaml [required: >=5.4.1, installed: 6.0]
  - requests [required: Any, installed: 2.22.0]
  - requests-oauthlib [required: Any, installed: 1.3.1]
    - oauthlib [required: >=3.0.0, installed: 3.1.0]
    - requests [required: >=2.0.0, installed: 2.22.0]
  - setuptools [required: >=21.0.0, installed: 67.7.2]
  - six [required: >=1.9.0, installed: 1.14.0]
  - urllib3 [required: >=1.24.2, installed: 1.25.8]
  - websocket-client [required: >=0.32.0,!=0.42.*,!=0.41.*,!=0.40.0, installed: 1.5.1]
...

and, from another environment, where I'd previously cloned this repo and run pip3 install -r requirements.txt, I see: -

pipdeptree

...
google-auth==2.17.3
  - cachetools [required: >=2.0.0,<6.0, installed: 5.3.0]
  - pyasn1-modules [required: >=0.2.1, installed: 0.2.1]
  - rsa [required: >=3.1.4,<5, installed: 4.9]
    - pyasn1 [required: >=0.1.3, installed: 0.4.8]
  - six [required: >=1.9.0, installed: 1.16.0]
...

There is an issue - CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code #165 - which is closed.

A few months back, the CVE etc. were updated to suggest that rsa:4.7 mitigates the issue; this appears to have changed, and the latest version - 4.9 - is being reported as being vulnerable.

Apologies if my understanding is incorrect 😢

IF kubernetes does make use of python-rsa, is there any plan to move away from this, given the potential of this vulnerability ?

Environment:

python3 --version

Python 3.8.10

pip --version

pip 23.1.2 from /usr/local/lib/python3.8/dist-packages/pip (python 3.8)

[roycaihw]

This library uses google-auth. It seems to me that the vulnerability needs to be fixed in google-auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.