Merge pull request alibaba#394 from hhyasdf/improve/fix-CVE-2016-2183

improve: fix CVE-2016-2183
hhyasdf · Jul 3, 2023 · ede9c3c · ede9c3c
1 parent 7feb6b8
commit ede9c3c
Show file tree

Hide file tree

Showing 3 changed files with 283 additions and 140 deletions.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -17,8 +17,10 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"os"
+	"strings"
 
 	kubevirtv1 "kubevirt.io/api/core/v1"
 
@@ -71,12 +73,20 @@ func main() {
 	var entryLog = ctrllog.Log.WithName("entry")
 	entryLog.Info("starting hybridnet webhook", "known-features", feature.KnownFeatures(), "commit-id", gitCommit)
 
+	tlsCfgFunc := func(cfg *tls.Config) {
+		cfg.CipherSuites = cipherOrder()
+		cfg.MinVersion = tls.VersionTLS12
+	}
+
 	// create manager
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:             scheme,
 		LeaderElection:     false,
 		Port:               port,
 		MetricsBindAddress: metricsBindAddress,
+		TLSOpts: []func(*tls.Config){
+			tlsCfgFunc,
+		},
 	})
 	if err != nil {
 		entryLog.Error(err, "unable to start manager")
@@ -96,3 +106,46 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// Disable insecure cipher suites for CVE-2016-2183
+// cipherOrder returns an ordered list of Ciphers that are considered secure
+// Deprecated ciphers are not returned.
+func cipherOrder() []uint16 {
+	var first []uint16
+	var second []uint16
+
+	allowable := func(c *tls.CipherSuite) bool {
+		// Disallow block ciphers using straight SHA1
+		// See: https://tools.ietf.org/html/rfc7540#appendix-A
+		if strings.HasSuffix(c.Name, "CBC_SHA") {
+			return false
+		}
+		// 3DES is considered insecure
+		if strings.Contains(c.Name, "3DES") {
+			return false
+		}
+		return true
+	}
+
+	for _, c := range tls.CipherSuites() {
+		for _, v := range c.SupportedVersions {
+			if v == tls.VersionTLS13 {
+				first = append(first, c.ID)
+			}
+			if v == tls.VersionTLS12 && allowable(c) {
+				inFirst := false
+				for _, id := range first {
+					if c.ID == id {
+						inFirst = true
+						break
+					}
+				}
+				if !inFirst {
+					second = append(second, c.ID)
+				}
+			}
+		}
+	}
+
+	return append(first, second...)
+}
diff --git a/go.mod b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/onsi/gomega v1.19.0
 	github.com/osrg/gobgp/v3 v3.11.0
 	github.com/parnurzeal/gorequest v0.2.16
-	github.com/prometheus/client_golang v1.12.1
+	github.com/prometheus/client_golang v1.12.2
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.1
@@ -28,43 +28,53 @@ require (
 	golang.org/x/sys v0.3.0
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
 	google.golang.org/protobuf v1.28.1
-	k8s.io/api v0.23.6
-	k8s.io/apimachinery v0.23.6
-	k8s.io/apiserver v0.23.6
-	k8s.io/client-go v0.23.6
-	k8s.io/component-base v0.23.6
+	k8s.io/api v0.25.0
+	k8s.io/apimachinery v0.25.0
+	k8s.io/apiserver v0.25.0
+	k8s.io/client-go v0.25.0
+	k8s.io/component-base v0.25.0
 	k8s.io/kubernetes v0.0.0-00010101000000-000000000000
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
 	kubevirt.io/api v0.54.0
 	sigs.k8s.io/controller-runtime v0.0.0-00010101000000-000000000000
 )
 
 require (
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/eapache/channels v1.1.0 // indirect
 	github.com/eapache/queue v1.1.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/zapr v1.2.0 // indirect
+	github.com/go-logr/zapr v1.2.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.6 // indirect
+	github.com/go-openapi/swag v0.21.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k-sone/critbitgo v1.4.0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/openshift/custom-resource-status v1.1.2 // indirect
 	github.com/pborman/uuid v1.2.0 // indirect
@@ -101,47 +111,47 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.23.5 // indirect
+	k8s.io/apiextensions-apiserver v0.25.0 // indirect
 	k8s.io/klog/v2 v2.70.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
+	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
 	kubevirt.io/containerized-data-importer-api v1.47.0 // indirect
 	kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect
 	moul.io/http2curl v1.0.0 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 replace k8s.io/kubernetes => k8s.io/kubernetes v1.20.13
 
 replace (
-	k8s.io/api => k8s.io/api v0.23.6
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.23.6
-	k8s.io/apimachinery => k8s.io/apimachinery v0.23.6
-	k8s.io/apiserver => k8s.io/apiserver v0.23.6
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.23.6
-	k8s.io/client-go => k8s.io/client-go v0.23.6
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.23.6
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.23.6
-	k8s.io/code-generator => k8s.io/code-generator v0.23.6
-	k8s.io/component-base => k8s.io/component-base v0.23.6
-	k8s.io/component-helpers => k8s.io/component-helpers v0.23.6
-	k8s.io/controller-manager => k8s.io/controller-manager v0.23.6
-	k8s.io/cri-api => k8s.io/cri-api v0.23.6
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.23.6
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.23.6
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.23.6
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.23.6
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.23.6
-	k8s.io/kubectl => k8s.io/kubectl v0.23.6
-	k8s.io/kubelet => k8s.io/kubelet v0.23.6
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.23.6
-	k8s.io/metrics => k8s.io/metrics v0.23.6
-	k8s.io/mount-utils => k8s.io/mount-utils v0.23.6
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.6
+	k8s.io/api => k8s.io/api v0.25.0
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.0
+	k8s.io/apimachinery => k8s.io/apimachinery v0.25.0
+	k8s.io/apiserver => k8s.io/apiserver v0.25.0
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.0
+	k8s.io/client-go => k8s.io/client-go v0.25.0
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.0
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.0
+	k8s.io/code-generator => k8s.io/code-generator v0.25.0
+	k8s.io/component-base => k8s.io/component-base v0.25.0
+	k8s.io/component-helpers => k8s.io/component-helpers v0.25.0
+	k8s.io/controller-manager => k8s.io/controller-manager v0.25.0
+	k8s.io/cri-api => k8s.io/cri-api v0.25.0
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.0
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.0
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.0
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.0
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.0
+	k8s.io/kubectl => k8s.io/kubectl v0.25.0
+	k8s.io/kubelet => k8s.io/kubelet v0.25.0
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.0
+	k8s.io/metrics => k8s.io/metrics v0.25.0
+	k8s.io/mount-utils => k8s.io/mount-utils v0.25.0
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.0
 )
 
-replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.11.2
+replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.13.1
 
 replace github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1