Comments on CVE-2021-26928?

Maria Matejka maria.matejka at nic.cz
Fri Mar 10 00:09:03 CET 2023 

Hello!

In fact, I think that Tigera should have never submitted this CVE as it 
makes not sense at all. Adding the fact that nobody from Tigera has ever 
reached to us regarding this CVE, this simply isn't a legit CVE.

I'll submit a request to reject this CVE. Thank you for pointing to it.

Maria

On 3/9/23 09:02, Radu CARPA wrote:
> Hi,
> 
> I allow myself to jump on this discussion.
> That CVE report is about attacking a kubernetes cluster running Calico 
> (see the link in the `References to Advisories, Solutions, and Tools` 
> section in the NIST CVE). By default, calico doesn't require password 
> authentication for BGP connections. However, that can be enabled using 
> the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also 
> be enabled on peers outside the cluster using the `password` field of 
> the `BGPPeer` custom resource. I'm not sure if it's possible to enable 
> it globally for the listening socket though. Moreover, Calico uses a 
> self-patched, old, version of Bird. I believe 1.6.8.
> 
> I "think" that CVE was miss-labeled and shouldn't refer to bird as the 
> source of the problem.
> I personally use Password authentication with bird without issues.
> 
> Regard,
> Radu
> 
> On 3/9/23 08:15, Ondrej Filip wrote:
>> On 09. 03. 23 5:14, William wrote:
>>> On 09/03/2023 13:41, Robert Scheck wrote:
>>>> Hello,
>>
>> Hi!
>>
>>>>
>>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat 
>>>> pointed
>>>> me today to CVE-2021-26928. 
>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>>> contains a reference to BIRD 2.0.7, but no link related to BIRD 
>>>> upstream.
>>>>
>>>> Do you see any chance for some comments on it (at least here)? Not 
>>>> sure if
>>>> MITRE adds it then as references at CVE-2021-26928.
>>>
>>> I have a PDF of the Bird help documentation that I saved in 2019 
>>> (Fossies) that lists password authentication mechanisms as per 
>>> RFC2385 with extra options for BSD systems.  I'll defer to the Dev 
>>> team on this for the final word, but someone has some crossed wires 
>>> here.
>>
>> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do not 
>> understand this CVE.
>>
>>     Ondrej
>>
>>>
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> Regards,
>>>>   Robert
>>>
>>> Regards,
>>> William
>>
>

More information about the Bird-users mailing list