Security Bulletins
NOTE: Kiali takes security seriously and encourages users to report security concerns.
If you run a security scan on Kiali software that automatically generates a list of potential vulnerabilities and would like to report this security scan report to the Kiali team, we ask that you first verify that your scan is correctly validating the latest release and that the list of results is valid, contains no duplicates, and the reported vulnerabilities truly affect Kiali. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies.
Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:
| CVE | Description | Notes |
|---|---|---|
| CVE-2024-2961 | The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set | Kiali is not affected. ISO-2022-CN-EXT has been removed. To confirm, run the validation command `podman run -it --rm --entrypoint '' quay.io/kiali/kiali:v2.2.0 iconv -l | grep -E 'CN-?EXT'`. See https://access.redhat.com/security/cve/CVE-2024-2961 |
| CVE-2023-37920 | A flaw was found in the python-certifi package. This issue occurs when the e-Tugra root certificate in Certifi is removed, resulting in an unspecified error that has an unknown impact and attack vector. | Kiali is not affected. This was fixed in RHEL9 base images with RHBA-2024:5691. Per the CVE page, these certs are included and marked as 'don't trust', but will not be removed until Mozilla removes them. Browsers are most at risk, which already understand and parse 'don't trust after'. Furthermore, note that Microsoft has not removed the certificate from their code-signing CA list that are merged with Mozilla's CA list, so the certificate is still there marked as trusted for code signing. See: https://access.redhat.com/security/cve/cve-2023-37920 and https://access.redhat.com/errata/RHBA-2024:5691 |
| CVE-2022-27191 | golang.org/x/crypto/ssh allows an attacker to crash a server in certain circumstances involving AddHostKey | Kiali does not use the AddHostKey API; furthermore, neither Kiali nor its dependencies import this component. Thus Kiali is not susceptible to this vulnerability. |
| CVE-2022-1996 | github.com/emicklei/go-restful | Despite the package dependency Kiali is not susceptible to this vulnerability |
| CVE-2019-1010022 | GNU Libc current is affected by: Mitigation bypass. | This is a disputed CVE. According to upstream, it is not a security issue. For details, please see https://sourceware.org/bugzilla/show_bug.cgi?id=22850 and https://security-tracker.debian.org/tracker/CVE-2019-1010022 |
For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below:
Last modified November 13, 2023: blurb on security scan reporting (#716) (c54a65c)