TrueChartsClone/charts/stable/zigbee2mqtt/security.md

29 KiB
Raw Blame History

hide
toc

Security Overview

Helm-Chart

Scan Results

Chart Object: zigbee2mqtt/templates/common.yaml

Type Misconfiguration ID Check Severity Explaination Links
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
Kubernetes Security Check KSV011 CPU not limited LOW
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'resources.limits.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/misconfig/ksv011
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
Kubernetes Security Check KSV015 CPU requests not specified LOW
Expand... When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'resources.requests.cpu'
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/misconfig/ksv015
Kubernetes Security Check KSV016 Memory requests not specified LOW
Expand... When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'resources.requests.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/misconfig/ksv016
Kubernetes Security Check KSV017 Privileged container HIGH
Expand... Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.privileged' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
Kubernetes Security Check KSV018 Memory not limited LOW
Expand... Enforcing memory limits prevents DoS via resource exhaustion.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'resources.limits.memory'
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/misconfig/ksv018
Kubernetes Security Check KSV020 Runs with low user ID LOW
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
Kubernetes Security Check KSV020 Runs with low user ID LOW
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
Kubernetes Security Check KSV020 Runs with low user ID LOW
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
Kubernetes Security Check KSV021 Runs with low group ID LOW
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-zigbee2mqtt' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
Kubernetes Security Check KSV021 Runs with low group ID LOW
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
Kubernetes Security Check KSV021 Runs with low group ID LOW
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'init-config' of Deployment 'RELEASE-NAME-zigbee2mqtt' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
Kubernetes Security Check KSV030 Default Seccomp profile not set LOW
Expand... The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.


Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
Kubernetes Security Check KSV030 Default Seccomp profile not set LOW
Expand... The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.


Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
Kubernetes Security Check KSV030 Default Seccomp profile not set LOW
Expand... The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.


Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
Kubernetes Security Check KSV105 Containers must not set runAsUser to 0 LOW
Expand... Containers should be forbidden from running with a root UID.


securityContext.runAsUser should be set to a value greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
Kubernetes Security Check KSV105 Containers must not set runAsUser to 0 LOW
Expand... Containers should be forbidden from running with a root UID.


securityContext.runAsUser should be set to a value greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
Kubernetes Security Check KSV106 Container capabilities must only include NET_BIND_SERVICE LOW
Expand... Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.


container should drop all
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
Kubernetes Security Check KSV106 Container capabilities must only include NET_BIND_SERVICE LOW
Expand... Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.


container should drop all
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
Kubernetes Security Check KSV106 Container capabilities must only include NET_BIND_SERVICE LOW
Expand... Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.


container should drop all
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106

Containers

Detected Containers
      tccr.io/truecharts/alpine:v3.16.0@sha256:16dc15f3d61a1e30b1df9f839e53636847b6097286b2b74c637b25fd8264f730
      'tccr.io/truecharts/zigbee2mqtt:v1.26.0@sha256:c8558f886e60e5b091e337b8ffd02c43555f637264f3b33dc7aee8b6abe57f68'
      tccr.io/truecharts/zigbee2mqtt:v1.26.0@sha256:c8558f886e60e5b091e337b8ffd02c43555f637264f3b33dc7aee8b6abe57f68
Scan Results

Container: tccr.io/truecharts/alpine:v3.16.0@sha256:16dc15f3d61a1e30b1df9f839e53636847b6097286b2b74c637b25fd8264f730 (alpine 3.16.0)

alpine

Package Vulnerability Severity Installed Version Fixed Version Links
curl CVE-2022-32205 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32205
https://curl.se/docs/CVE-2022-32205.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
https://ubuntu.com/security/notices/USN-5495-1
curl CVE-2022-32206 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32206
https://curl.se/docs/CVE-2022-32206.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
https://ubuntu.com/security/notices/USN-5495-1
curl CVE-2022-32207 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32207
https://curl.se/docs/CVE-2022-32207.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
https://ubuntu.com/security/notices/USN-5495-1
curl CVE-2022-32208 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32208
https://curl.se/docs/CVE-2022-32208.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
https://ubuntu.com/security/notices/USN-5495-1
https://ubuntu.com/security/notices/USN-5499-1
libcurl CVE-2022-32205 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32205
https://curl.se/docs/CVE-2022-32205.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
https://ubuntu.com/security/notices/USN-5495-1
libcurl CVE-2022-32206 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32206
https://curl.se/docs/CVE-2022-32206.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
https://ubuntu.com/security/notices/USN-5495-1
libcurl CVE-2022-32207 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32207
https://curl.se/docs/CVE-2022-32207.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
https://ubuntu.com/security/notices/USN-5495-1
libcurl CVE-2022-32208 MEDIUM 7.83.1-r1 7.83.1-r2
Expand...https://access.redhat.com/security/cve/CVE-2022-32208
https://curl.se/docs/CVE-2022-32208.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
https://ubuntu.com/security/notices/USN-5495-1
https://ubuntu.com/security/notices/USN-5499-1

Container: tccr.io/truecharts/zigbee2mqtt:v1.26.0@sha256:c8558f886e60e5b091e337b8ffd02c43555f637264f3b33dc7aee8b6abe57f68 (alpine 3.15.4)

alpine

No Vulnerabilities found

node-pkg

No Vulnerabilities found