Kyverno security audit 2023 findings and report
4th December, 2023
We are happy to announce the results of our security audit of the Kubernetes admission controller Kyverno. The audit was a joing collaboration between the Ada Logics team, the Kyverno maintainers, the Open Source Technology Improvement Fund and the Cloud Native Computing Foundation. The audit included threat modelling, manual auditing, fuzzing and a supply-chain security assessment.
The auditing found 10 security issues in Kyvernos code base and third-party dependencies. 6 of these 10 issues were assigned the following CVE's:
| CVE # | Vulnerable Kyverno Component | CVE Severity |
|---|---|---|
| CVE-2023-42813 | Notary Verifier | Moderate |
| CVE-2023-42814 | Notary Verifier | Low |
| CVE-2023-42815 | Notary Verifier | Low |
| CVE-2023-42816 | Notary Verifier | Moderate |
| CVE-2023-47630 | Notary Verifier | High |
| CVE-2023-46737 | Cosign (upstream) | Low |
Ada Logics wrote three new fuzzers for Kyverno. Earlier this year, Kyverno completed a fuzzing security audit during which Ada Logics added a continuous fuzzing suite for Kyverno that runs on OSS-Fuzz. During the current securtiy audit, Ada Logics added the three fuzzers to Kyvernos fuzzing suite so that they also run continuously. Two of the fuzzers test for policy bypasses, and the third tests complex text processing routines.
During the audit, we found that Kyverno uses the slsa-github-generator to release their artifacts. slsa-github-generator is an officially SLSA-maintained tool that builds Kyverno and generates SLSA3+ provenance. As such, Kyverno includes verifiable provenance along with its release artifacts, and consumers can verify the provenance against their Kyverno artifacts using the slsa-verifier prior to consuming.