Skip to main content

Vulnerability Patch Policy

While it’s our goal to distribute vulnerability-free versions of all components, this isn’t always possible. Kubernetes and KOTS are made from many components, each authored by different vendors.

The best way to stay ahead of vulnerabilities is to run the latest version and have a strategy to quickly update when a patch is available.

How We Scan

Our build pipeline uses Trivy to scan for and detect known, published vulnerabilities in our images. It’s possible that other security scanners will detect a different set of results. We commit to patching vulnerabilities according to the timeline below based on the results of our internal scans.

If you or your customer detects a different vulnerability using a different scanner, we encourage you to report it to us in a GitHub issue, Slack message, or emailing [email protected] Our team will evaluate the vulnerability and determine the best course of action.

Base Images

When possible, KOTS uses alpine, scratch, or distroless images to reduce the number of components that might be affected by CVEs. When a larger base image is required, we will keep it updated to the latest version available based on the following timeline:

Base Version ChangeTime to include in release
Patch versionWithin 2 weeks
Minor versionWithin 30 days
Major versionBefore the previous version is EOL

Upstream CVE Disclosure

Replicated KOTS and kURL deliver many upstream Kubernetes and ecosystem components. We do not build these packages and rely on the upstream software vendor to distribute patches. Our intent is to make any patches available as soon as possible, but guarantee the following timeline to make upstream patches available after we learn about the vulnerability and a patch is available to us:

CVE LevelTime to release
CriticalWithin 2 weeks
HighWithin 60 days
MediumWithin 90 days
LowBest effort unless risk accepted

Notable Upstream CVEs

The following CVEs have yet to be resolved by the upstream maintainers and therefore are not patched in Replicated. This is not an exhaustive list of unpatched upstream CVEs; instead, these are noteworthy CVEs that we have evaluated and on which we offer our opinion to help with your own security reviews. When available, we will apply upstream patches in accordance with our policy desribed in Upstream CVE Disclosure above. We will update this list after applying any upstream patches.

CVE IDExplanation
CVE-2022-1292The reported vulnerability affects an OpenSSL script in the container image, (c_rehash), but neither Velero nor Replicated use this script. As such, it is our opinion that CVE-2022-1292 is not remotely exploitable within Replicated.

Vulnerability Management Exception Policy

There might be instances where policy exceptions are required to continue using third party software with known vulnerabilities in our on premises products. Some reasons for an exception include:

  • Feature breakage or bugs in patched versions
  • Performance issues in patched versions
  • Patched version contains higher severity vulnerabilities

Regardless of the reason, an exception is vetted from a business impact and security standpoint. The business review assesses the overall impact to the product created by the patched, but otherwise problematic, piece of software. The security portion determines if the CVE is applicable to this specific context and if that CVE's impact to the product’s overall security posture is acceptable.

In the event of a vulnerability management exception, a notice is posted containing:

  • The impacted product(s)
  • The rationale for the exception
  • The relevant CVE(s)
  • A risk assessment in the product context for each CVE

As subsequent versions of the vulnerable software are released, Replicated continues to research to find a solution that satisfies the business and security requirements of the original exception. 

Vulnerability Management Exceptions

KOTS uses MinIO RELEASE.2022-06-11T19-55-32Z which includes a number of CVEs. Newer MinIO releases have fixed these CVEs but also introduced breaking product changes. Replicated is actively working to incorporate a newer MinIO version into KOTS. Until then, the following CVEs will be present in KOTS. However, each CVE has been reviewed and it has been determined none are exploitable:

CVECVE SummaryRationaleAdditional Reading
CVE-2022-2509A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.No reference to use of gnutls_pkcs7_verify function found in MinIO source
CVE-2020-35527In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.No reference to use of ALTER TABLE command found in MinIO source
CVE-2022-42898PAC parsing in MIT Kerberos 5 before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to denial of service on 32-bit platformsNo reference to krb5 found in MinIO source
CVE-2022-37434zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra fieldNo reference to use of inflateGetHeader function found in MinIO source
CVE-2022-40303An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow.No reference to use of libxml2 found in MinIO source
CVE-2022-40304An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors.No reference to use of libxml2 found in MinIO source

Known Disclosed Vulnerabilities in our On Premises Products

CVECVE SummaryRationaleAdditional Reading
CVE-2020-27847A vulnerability exists in the SAML connector of the library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threats from this vulnerability are to confidentiality, integrity, and system availability. This flaw affects dex versions before 2.27.0.This is a false positive from Trivy. This vulnerability applies to Dex version 2.27.0 and earlier, whereas Replicated is using Dex version 2.35.0. Dex does not follow Go's semantic versioning convention, which may explain the erroneous result from Trivy.
CVE-2022-39222Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability if they are running a version prior to 2.35.0. An attacker can exploit this vulnerability by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code then can be exchanged by the attacker for a token, gaining access to applications accepting that token. Version 2.35.0 has introduced a fix for this issue.This is a false positive from Trivy. This vulnerability applies to Dex version prior to 2.35.0, whereas Replicated is using Dex version 2.35.0. Dex does not follow Go's semantic versioning convention, which may explain the erroneous result from Trivy.