Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34689

Nutanix CCM: SWEET32 "SSL Medium Strength Cipher Suites Supported" reported

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.15, 4.16
    • None
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

         Customer is running Openshift on AHV and their Tenable Security Scan reported the following vulnerability on the Nutanix Cloud Controller Manager Deployment. 
      https://www.tenable.com/plugins/nessus/42873 on port 10258 SSL Medium Strength Cipher Suites Supported (SWEET32)
      The Nutanix Cloud Controller Manager deployment runs two pods and exposes port 10258 to the outside world. 
      sh-4.4# netstat -ltnp|grep -w '10258'
      tcp6       0      0 :::10258                :::*                    LISTEN      10176/nutanix-cloud
      sh-4.4# ps aux|grep 10176
      root       10176  0.0  0.2 1297832 59764 ?       Ssl  Feb15   4:40 /bin/nutanix-cloud-controller-manager --v=3 --cloud-provider=nutanix --cloud-config=/etc/cloud/nutanix_config.json --controllers=* --configure-cloud-routes=false --cluster-name=trulabs-8qmx4 --use-service-account-credentials=true --leader-elect=true --leader-elect-lease-duration=137s --leader-elect-renew-deadline=107s --leader-elect-retry-period=26s --leader-elect-resource-namespace=openshift-cloud-controller-manager
      root     1403663  0.0  0.0   9216  1100 pts/0    S+   14:17   0:00 grep 10176
      
      
      [centos@provisioner-trulabs-0-230518-065321 ~]$ oc get pods -A -o wide | grep nutanix
      openshift-cloud-controller-manager                 nutanix-cloud-controller-manager-5c4cdbb9c-jnv7c            1/1     Running     0                4d18h   172.17.0.249   trulabs-8qmx4-master-1       <none>           <none>
      openshift-cloud-controller-manager                 nutanix-cloud-controller-manager-5c4cdbb9c-vtrz5            1/1     Running     0                4d18h   172.17.0.121   trulabs-8qmx4-master-0       <none>           <none>
      
      
      [centos@provisioner-trulabs-0-230518-065321 ~]$ oc describe pod -n openshift-cloud-controller-manager                 nutanix-cloud-controller-manager-5c4cdbb9c-jnv7c
      Name:                 nutanix-cloud-controller-manager-5c4cdbb9c-jnv7c
      Namespace:            openshift-cloud-controller-manager
      Priority:             2000000000
      Priority Class Name:  system-cluster-critical
      Service Account:      cloud-controller-manager
      Node:                 trulabs-8qmx4-master-1/172.17.0.249
      Start Time:           Thu, 15 Feb 2024 19:24:52 +0000
      Labels:               infrastructure.openshift.io/cloud-controller-manager=Nutanix
                            k8s-app=nutanix-cloud-controller-manager
                            pod-template-hash=5c4cdbb9c
      Annotations:          operator.openshift.io/config-hash: b3e08acdcd983115fe7a2b94df296362b20c35db781c8eec572fbe24c3a7c6aa
      Status:               Running
      IP:                   172.17.0.249
      IPs:
        IP:           172.17.0.249
      Controlled By:  ReplicaSet/nutanix-cloud-controller-manager-5c4cdbb9c
      Containers:
        cloud-controller-manager:
          Container ID:  cri-o://f5c0f39e1907093c9359aa2ac364c5bcd591918b06103f7955b30d350c730a8a
          Image:         quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f3e7b600d94d1ba0be1edb328ae2e32393acba819742ac3be5e6979a3dcbf4c
          Image ID:      quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f3e7b600d94d1ba0be1edb328ae2e32393acba819742ac3be5e6979a3dcbf4c
          Port:          10258/TCP
          Host Port:     10258/TCP
          Command:
            /bin/bash
            -c
            #!/bin/bash
            set -o allexport
            if [[ -f /etc/kubernetes/apiserver-url.env ]]; then
              source /etc/kubernetes/apiserver-url.env
            fi
            exec /bin/nutanix-cloud-controller-manager \
              --v=3 \
              --cloud-provider=nutanix \
              --cloud-config=/etc/cloud/nutanix_config.json \
              --controllers=* \
              --configure-cloud-routes=false \
              --cluster-name=$(OCP_INFRASTRUCTURE_NAME) \
              --use-service-account-credentials=true \
              --leader-elect=true \
              --leader-elect-lease-duration=137s \
              --leader-elect-renew-deadline=107s \
              --leader-elect-retry-period=26s \
              --leader-elect-resource-namespace=openshift-cloud-controller-manager
      
          State:          Running
            Started:      Thu, 15 Feb 2024 19:24:56 +0000
          Ready:          True
          Restart Count:  0
          Requests:
            cpu:     200m
            memory:  128Mi
          Environment:
            OCP_INFRASTRUCTURE_NAME:   trulabs-8qmx4
            NUTANIX_SECRET_NAMESPACE:  openshift-cloud-controller-manager
            NUTANIX_SECRET_NAME:       nutanix-credentials
            POD_NAMESPACE:             openshift-cloud-controller-manager (v1:metadata.namespace)
          Mounts:
            /etc/cloud from nutanix-config (ro)
            /etc/kubernetes from host-etc-kube (ro)
            /etc/pki/ca-trust/extracted/pem from trusted-ca (ro)
            /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-4ht28 (ro)
      Conditions:
        Type              Status
        Initialized       True
        Ready             True
        ContainersReady   True
        PodScheduled      True
      Volumes:
        nutanix-config:
          Type:      ConfigMap (a volume populated by a ConfigMap)
          Name:      cloud-conf
          Optional:  false
        trusted-ca:
          Type:      ConfigMap (a volume populated by a ConfigMap)
          Name:      ccm-trusted-ca
          Optional:  false
        host-etc-kube:
          Type:          HostPath (bare host directory volume)
          Path:          /etc/kubernetes
          HostPathType:  Directory
        kube-api-access-4ht28:
          Type:                    Projected (a volume that contains injected data from multiple sources)
          TokenExpirationSeconds:  3607
          ConfigMapName:           kube-root-ca.crt
          ConfigMapOptional:       <nil>
          DownwardAPI:             true
          ConfigMapName:           openshift-service-ca.crt
          ConfigMapOptional:       <nil>
      QoS Class:                   Burstable
      Node-Selectors:              node-role.kubernetes.io/master=
      Tolerations:                 node-role.kubernetes.io/master:NoSchedule op=Exists
                                   node.cloudprovider.kubernetes.io/uninitialized:NoSchedule op=Exists
                                   node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                                   node.kubernetes.io/not-ready:NoExecute op=Exists for 120s
                                   node.kubernetes.io/not-ready:NoSchedule op=Exists
                                   node.kubernetes.io/unreachable:NoExecute op=Exists for 120s
      Events:                      <none>
      
      
      Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
      
          Name                          Code             KEX           Auth     Encryption             MAC
          ----------------------        ----------       ---           ----     ---------------------  ---
          ECDHE-RSA-DES-CBC3-SHA        0xC0, 0x12       ECDH          RSA      3DES-CBC(168)          SHA1
          DES-CBC3-SHA                  0x00, 0x0A       RSA           RSA      3DES-CBC(168)          SHA1
      
      The fields above are :
      
        {Tenable ciphername}
        {Cipher ID code}
        Kex={key exchange}
        Auth={authentication}
        Encrypt={symmetric encryption method}
        MAC={message authentication code}
        {export flag}
      
      
      [centos@provisioner-trulabs-0-230518-065321 ~]$ curl -v telnet://172.17.0.2:10258
      * About to connect() to 172.17.0.2 port 10258 (#0)
      *   Trying 172.17.0.2...
      * Connected to 172.17.0.2 (172.17.0.2) port 10258 (#0)

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      The nutanix CCM manager pod running in the OCP cluster does not set the option "--tls-cipher-suites".

      Steps to Reproduce:

      Create an OCP Nutanix cluster.

      Actual results:

      Run the below cli returns nothing.
      $ oc describe pod -n openshift-cloud-controller-manager nutanix-cloud-controller-manager-... | grep "\--tls-cipher-suites"

      Expected results:

         Expect the nutanix CCM manager deployment set the proper option "--tls-cipher-suites".

      Additional info:

          

            yanhli@redhat.com Yanhua Li
            yanhli@redhat.com Yanhua Li
            Huali Liu Huali Liu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: