Open
Description
Describe the bug
We found below vulnerabilities while scanning seldon core 1.16.0 deployed on Kubernetes 1.24.X version using Tenable-SC
Issue 1:
TLS version 1.0 and 1.1 protocol detection in webhook port of seldon
Plugin ID: 104743
Plugin Output: TLSv1 is enabled and the server supports at least one cipher.
Plugin ID: 121010
Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.
Issue 2:
SSL Medium strength cipher suites supported (SWEET32) in webhook port of seldon
Plugin ID: 42873
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
Name Code KEX Auth Encryption MAC
--------------------- ---------- --- ---- --------------------- ---
ECDHE-RSA-DES-CBC3-SHA 0xC0, 0x12 ECDH RSA 3DES-CBC(168) SHA1
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1
The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}
We looked at the seldon core operator code and could not find any configuration to set the minimum TLS version.
Could you please guide us on the above so that we can set the minimum TLS version >=1.2?
To reproduce
- Install seldon core
- Scan with Tenable-SC tool or any other tool that can detect TLS version anomalies.
Expected behaviour
There should be a configuration option that allows to configure the minimum TLS version and cipher suites
Environment
K8s 1.24