Hello! In fact, I think that Tigera should have never submitted this CVE as it makes not sense at all. Adding the fact that nobody from Tigera has ever reached to us regarding this CVE, this simply isn't a legit CVE. I'll submit a request to reject this CVE. Thank you for pointing to it. Maria On 3/9/23 09:02, Radu CARPA wrote:
Hi,
I allow myself to jump on this discussion. That CVE report is about attacking a kubernetes cluster running Calico (see the link in the `References to Advisories, Solutions, and Tools` section in the NIST CVE). By default, calico doesn't require password authentication for BGP connections. However, that can be enabled using the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also be enabled on peers outside the cluster using the `password` field of the `BGPPeer` custom resource. I'm not sure if it's possible to enable it globally for the listening socket though. Moreover, Calico uses a self-patched, old, version of Bird. I believe 1.6.8.
I "think" that CVE was miss-labeled and shouldn't refer to bird as the source of the problem. I personally use Password authentication with bird without issues.
Regard, Radu
On 3/9/23 08:15, Ondrej Filip wrote:
On 09. 03. 23 5:14, William wrote:
On 09/03/2023 13:41, Robert Scheck wrote:
Hello,
Hi!
with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat pointed me today to CVE-2021-26928. https://nvd.nist.gov/vuln/detail/CVE-2021-26928 contains a reference to BIRD 2.0.7, but no link related to BIRD upstream.
Do you see any chance for some comments on it (at least here)? Not sure if MITRE adds it then as references at CVE-2021-26928.
I have a PDF of the Bird help documentation that I saved in 2019 (Fossies) that lists password authentication mechanisms as per RFC2385 with extra options for BSD systems. I'll defer to the Dev team on this for the final word, but someone has some crossed wires here.
Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do not understand this CVE.
Ondrej
Thank you.
Regards, Robert
Regards, William