Second Flux Security Audit has concluded

Flux just went through its second CNCF-funded Security Audit. Here we publicly release and discuss the report.

Precisely 2 years after performing our first security Audit, we had the chance to put Flux through a second audit this year, again facilitated by the CNCF and the Open Source Technology Improvement Fund. Trail of Bits partnered with us this time to make Flux even more secure. Flux passed the “General Availability” milestone earlier this year and the focus was on the features shipped in the Flux GA release.

The Flux maintainers and community are very grateful for the work put into this by everyone and the opportunity to grow and improve as a project. Thanks to Trail of Bits, notably Maciej Domański, Sam Alws, Sam Greenup and Jeff Braswell, who have always been extremely responsive during the process.


No new CVEs

Good news first: No new CVEs have been published for Flux in response to this second audit. Trail of Bits highlight that they found Flux was “well structured and generally written defensively” and the “audit uncovered only low- and informational-severity findings”, 10 in total. 8 of the discovered issues have been fixed as of publication of this announcement. From the remaining two issues to be fixed, one is in the process of being resolved and for the other one we have decided to accept the very low risk due to reasons mentioned in the report.

The assessment was kicked off with a list of 23 questions to be answered, circling around potential data leaks, security documentation, access control or denial of service vulnerabilities. Since the focus was on the GA components, the following parts of Flux have been put under scrutiny:

  • source-controller
  • kustomize-controller
  • notification-controller
  • Flux CLI
  • The pkg library, and git/gogit/fs in particular

Details on the discovered issues

You will find the full report here. The following table shows all the findings together with links to the pull requests fixing them:

1: SetExpiration does not set the expiration for the given keylowsource-controller#1185
2: Inappropriate string trimming functioninformationalnotification-controller#590
3: Go’s default HTTP client uses a shared value that can be modified by other componentslowflux2#4182
4: Unhandled error valueinformationalflux2#4181
5: Potential implicit memory aliasing in for loopsinformationalsource-controller#1257, notification-controller#627, flux2#4329
6: Directories created via os.MkdirAll are not checked for permissionsinformationaln/a
7: Directories and files created with overly lenient permissionsinformationalpkg#663, pkg#681, source-controller#1276, kustomize-controller#1005, flux2#4380
8: No restriction on minimum SSH RSA public key bit sizeinformationalflux2#4177
9: Flux macOS release binary susceptible to dylib injectionlowin progress
10: Path traversal in SecureJoin implementationundeterminedpkg#650, go-git/go-billy#31, go-git/go-billy#34

In addition to the pull requests linked above we also enabled security and quality CI checks through CodeQL via flux2#4121 to prevent any avoidable regressions.

Conclusion and next steps

From our perspective as Flux maintainers, 2 years feel like a lifetime. We added lots of new features and fixed even more bugs in that timeframe. That’s why we are particularly grateful that CNCF and OSTIF gave us the opportunity to let a team of security experts assess Flux another time. We are proud of having been able to learn from the first assessment and kept on making Flux more and more secure over these past 2 years, leading to only low- and informational-severity security findings within the GA components of Flux.

Our next milestone is the general availability of Flux’s Helm features and the subsequent general availability of the remaining Flux components. If you are interested in contributing to this, we are very much looking forward to working with you. We welcome contributions in helping resolve issues of the road, additional comments on our security posture and also welcome contributions in the form of extending our fuzzing infrastructure. Finally, if you have any additional security feedback, please come and talk to us.

Again we would like to thank the Cloud Native Computing Foundation for sponsoring the audit, the Open Source Technology Improvement Fund for the coordination and Trail of Bits for the careful review and advice during the audit period.

We are happy and proud to be part of this community!