A static analysis of vulnerabilities, Docker and Kubernetes cluster configuration detect toolkit based on the real penetration of cloud computing
Notable Updates:
CVE-2024-21626
checking
Checking the mount path, due to the variety of fd number, vesta checks the key path /proc/self/fd
in WORKDIR.CVE-2024-3094
checking
Checking the library liblzma.so, refer to detect.sh
md5 | filename |
---|---|
7ea0d98f1a9fcb8917cd9834fd51c08e | vesta_darwin_amd64 |
ff58c0fba46ab9e4ac083283de1c5072 | vesta_linux_amd64 |
f8b5b16689ff0dd460a81989970dbcab | vesta_windows_amd64.exe |
Notable Updates:
BearerToken
for authentication
--inside
flag in the k8s analysis
The founction clientcmd.BuildConfigFromFlags
will automatically use restclient.InClusterConfig
when it can't find the config in user directory. Therefore, remove the redundant inside symbols.md5 | filename |
---|---|
75820c21fc4df579df4dfa12e47eafcd | vesta_darwin_amd64 |
50e4aa00ae5a5ccc5f4ba07ffa239204 | vesta_linux_amd64 |
1b6dc5033ab5bada38d5027fd655d56e | vesta_windows_amd64.exe |
Notable Updates:
docker config
, docker secret
in Docker swarm, and find the relevant docker services. Also, reviewing the vulnerable container related to the docker services.ephemeral-storage
limitation
image scan
md5 | filename |
---|---|
12e3734748efcc4352bc197680284cf9 | vesta_darwin_amd64 |
e0210985d0a941bd65e785be33cbf945 | vesta_linux_amd64 |
9d74eded560dccd3b07027b85694b98c | vesta_windows_amd64.exe |
Notable Updates:
OSCS
as part of the data resource
Add the OSCS
for malicious package checking in Python and Node.md5 | filename |
---|---|
e91b6dcb80e767d2dd12b5f0fe3268b0 | vesta_darwin_amd64 |
9253b89e2d8afc694ff4f1900cc37361 | vesta_linux_amd64 |
5b0552bb46b50f5044dfef62094d998f | vesta_windows_amd64.exe |
Notable Updates:
ConfigMap
, Secret
, Job
, and Cronjob
checkings from out-of-whitelist to every namespace.PodScurityPolicy
and k8s version checking
md5 | filename |
---|---|
903f839034771bf56f34c5b1b6693a8c | vesta_darwin_amd64 |
a80a88e55c444c99064c958b9c708652 | vesta_linux_amd64 |
f5e4846dd5e65a4fc3b5f0652166d1ee | vesta_windows_amd64.exe |
Notable Updates:
log4j
--pid=host
, --net=host
to checking list.md5 | filename |
---|---|
5eb1dc394ddea93b256f9acd2da60fb6 | vesta_darwin_amd64 |
9f3f50b3ac049c6978083510fb2ed768 | vesta_linux_amd64 |
55c158c3a30579d4ee3c6ec85cc2fc85 | vesta_windows_amd64.exe |
Notable Updates:
Env
and check ConfigMap or Secret referenced in EnvFrom
.upgrade
to update
14/02/2023: fixed DNS panic due to the
C.getaddrinfo
.
md5 | filename |
---|---|
a7e74211ebab589172006b1fc76d6503 | vesta_darwin_amd64 |
2cd17e7c804a981784f2c4e59a842e38 | vesta_linux_amd64 |
ad0f412280c9eb95f61d46f8f0ffcfae | vesta_windows_amd64.exe |
Notable Updates:
high
, medium
, low
and warning
. Key resources such as pods
, deployments
and statefulsets
with dangerous verbs such as create
, patch
and delete
need to be noticed. Service account mount path /var/run/secrets/kubernetes.io/serviceaccount/token
is checked with RBAC vulnerabilities. Untrusted users are printed for self-checking.md5 | filename |
---|---|
ef292417ac9024281f92f639e81dbe58 | vesta_darwin_amd64 |
62043d3914f567a5987be688afa21e96 | vesta_linux_amd64 |
f1b34889fae13db512a84f9fc48ba20b | vesta_windows_amd64.exe |
Notable Updates:
read-only-port
and kubectl proxy
checking
md5 | filename |
---|---|
90108eb6831d775c0c3acc7a39b45590 | vesta_darwin_amd64 |
4bedfce3d118c31242f02769ccd8fe1a | vesta_darwin_m1 |
f0089f76d4693241b6cd5d0fd299b7b9 | vesta_linux_amd64 |
e4af14cdd21c9d2cfc6af4b9324a2e4d | vesta_windows_amd64.exe |
Notable Updates:
md5 | filename |
---|---|
9d49884e7853464c3a04b3b8436e4ebc | vesta_darwin_amd64 |
dfe150c086c77fa6026075148483e43f | vesta_darwin_m1 |
237abd4c3985230131501e40bf95c1fc | vesta_linux_amd64 |
9d958437756f21dddabd7797e098f79c | vesta_linux_arm |
b9bb5ff87b80a558539c4b08fe1020a1 | vesta_windows_amd64.exe |