Lucene search
GitHub Advisory DatabaseGHSA-HGV6-W7R3-W4QWHistoryMay 30, 2023 - 8:07 p.m.
Kyverno vulnerable due to usage of insecure cipher
2023-05-3020:07:06
GitHub Advisory Database
github.com
35
Summary
Insecure 3DES ciphers are used which may lead to exploitation of the Sweet32 vulnerability. Specifically, the ciphers TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) and TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) are allowed. See CVE-2016-2183. This is fixed in Kyverno v1.9.5 and v1.10.0 and no known users have been affected.
Details
The ciphers in affected versions can be read using the following command which uses nmap:
$ kubectl exec -it mypod -n kyverno sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
**nmap -sV --script ssl-enum-ciphers -p 443 kyverno-cleanup-controller** or **nmap -sV --script ssl-enum-ciphers -p 443 kyverno-svc**
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 10:55 UTC
Nmap scan report for kyverno-cleanup-controller (10.103.199.233)
Host is up (0.000058s latency).
rDNS record for 10.103.199.233: kyverno-cleanup-controller.kyverno.svc.cluster.local
PORT STATE SERVICE VERSION
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
**| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C**
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
**| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C**
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: C
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/kyverno/kyverno | lt | 1.9.5 |
Related
ibm
ibm
Security Bulletin: IBM MessageSight affected by GSKit Sweet32 Birthday attacks (CVE-2016-2183)
2018-06-17 15:36:58
Security Bulletin: A security vulnerability has been identified in GSKit shipped with IBM Spectrum Scale V4 (CVE-2016-2183)
2018-08-01 19:18:54
Security Bulletin: A vulnerability in Python affects PowerKVM
2018-09-26 17:55:02
nessus
nessus
SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2017:0719-1)
2017-03-20 00:00:00
F5 Networks BIG-IP : OpenSSL vulnerability (K13167034)
2017-03-02 00:00:00
SSL Medium Strength Cipher Suites Supported (SWEET32)
2009-11-23 00:00:00
prion
prion
Design/Logic Flaw
2016-09-01 00:59:00
Design/Logic Flaw
2023-01-17 21:15:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2017:0719-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:0726-1)
2021-06-09 00:00:00
hackerone
hackerone
Legal Robot: SWEET32 TLS attack
2017-01-18 18:03:52
Udemy: sweet32
2017-03-31 12:18:22
Yelp: Yelp.com is vulnerable to SWEET32 attack
2017-01-18 17:43:32
cve
cve
CVE-2016-2183
2016-09-01 00:59:00
CVE-2023-0296
2023-01-17 21:15:15
redhat
redhat
(RHSA-2019:1245) Moderate: Red Hat Quay 3.0.2 security and bug fix update
2019-05-20 14:11:05
(RHSA-2018:2123) Moderate: python security update
2018-07-03 13:00:43
veracode
veracode
Information Disclosure
2017-01-09 02:06:31
Weak Encryption
2019-01-15 09:15:57
threatpost
threatpost
New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption
2016-08-24 08:00:39
OpenSSL Patches High-Severity OCSP Bug, Mitigates SWEET32 Attack
2016-09-23 15:47:13
OpenSSL Fixes Critical Bug Introduced by Latest Update
2016-09-26 10:45:04
f5
f5
K13167034 : OpenSSL vulnerability CVE-2016-2183
2016-10-04 00:00:00
SOL13167034 - OpenSSL vulnerability CVE-2016-2183
2016-10-04 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-2183
2016-08-24 00:00:00
centos
centos
python, tkinter security update
2018-07-13 16:28:09
osv
osv
Kyverno vulnerable due to usage of insecure cipher
2023-05-30 20:07:06
CVE-2016-2183
2016-09-01 00:59:00
oraclelinux
oraclelinux
python security update
2018-07-03 00:00:00
python security and bug fix update
2018-11-05 00:00:00
openssl security update
2016-10-13 00:00:00
ubuntucve
ubuntucve
CVE-2016-2183
2016-08-31 00:00:00
checkpoint_advisories
checkpoint_advisories
Weak SSL 3DES Cipher Suites (CVE-2016-2183)
2016-09-25 00:00:00
attackerkb
attackerkb
CVE-2016-2183
2016-09-01 00:00:00
cloudfoundry
cloudfoundry
alpinelinux
alpinelinux
CVE-2016-2183
2016-09-01 00:59:00
fortinet
fortinet
Protect
2019-02-07 00:00:00
exploitpack
exploitpack
symantec
symantec
SA133 : Sweet32 Birthday Attack against DES, 3DES, and Blowfish
2016-12-22 08:00:00
packetstorm
packetstorm
IBM Informix Dynamic Server DLL Injection / Code Execution
2017-05-31 00:00:00
ubuntu
ubuntu
NSS vulnerabilities
2017-04-27 00:00:00
NSS vulnerability
2017-07-31 00:00:00
slackware
slackware
[slackware-security] python
2016-12-28 21:09:54
seebug
seebug
IBM Informix Dynamic Server Open Admin Tool RCE (CVE-2017-1092)
2017-05-24 00:00:00
redhatcve
redhatcve
CVE-2023-0296
2023-01-16 14:05:12
zdt
zdt
exploitdb
exploitdb
Related for GHSA-HGV6-W7R3-W4QW