CVE-2016-2183 was detected on TKGm 2.5.0
Article ID: 398556
Updated On:
Products
Tanzu Kubernetes Runtime
Issue/Introduction
Customer is using TKGm 2.5.0 and looking to mitigate CVE-2016-2183 found on TKG for port 16664 and 16665, these ports are running for Antrea interworking.
Environment
TKGm 2.5.0
Cause
- CVE-2016-2183 is super broad and many tkgm components were affected. but it's also a very old CVE. Kubernetes was one of these components.
- Antrea specifically has this config option
Antrea
antrea.config.tlsCipherSuites
Include FIPS-enabled Cipher Suites, by default. To switch to other Cipher Suites, update the values under the tlsCipherSuites field.
- For CVE-2016-2183, TKGm 2.5.0 uses TLSv1.3 and does not use any medium cipher thus this CVE will not be affected for TKGm 2.5.0
refer to this document, VMware Tanzu Kubernetes Grid v2.5.x Release Notes
Resolution
TKGm 2.5.4 will resolve this issue and the ETA is mid-June.
- Fix-1 is available since Antrea commercial 1.10 (based on open-source release 2.1). Integrated with K8s release 1.31.
- Fix-2 is available since Antrea commercial 1.11 (based on open-source release 2.3). Integrated with K8s 1.32.
TKGm 2.5.4 will use Antrea v2.3.0 and support Kubernetes v1.31 and v1.32, along with other versions of Kubernetes.
Additional Information
TKGm 2.5.0 is using Antrea 1.13.1 and Antrea interworking 0.13.0.
Feedback
Yes
No
Powered by
