Crossplane underwent a successful third party security audit by ADA Logics with the support of Open Source Technology Improvement Fund (OSTIF). Used by firms such as JP Morgan, Time Warner, and MIT Lincoln Lab, the project is considered Incubating at CNCF. Over the first half of 2023, the multi-cloud control plane for Kubernetes API was examined, reviewed, and tested before its v 1.13 release with fixes from this audit. With the ultimate goal of graduation in mind, the audit team had its work cut out for them.
A holistic, comprehensive audit of Core Crossplane and Crossplane Runtime repositories was performed by manual code auditing, a fuzzing suite review, the creation of a threat model, and a SLSA grade. As the threat model was built, the audit team was able to determine attack surfaces and pinch points to focus upon which directed the manual code review. For example, supply chain security issues that Crossplane experiences as an image and package manager exposes the project to the potential for threat actors to introduce supply chain attacks.
The fuzzing being performed in Crossplane (by thirteen fuzzers ADA Logics previously created for the project!) is critical to the ongoing, continuous monitoring of the security, health, and environment of the code. An additional four fuzzers were added during this audit with an additional fuzzer improved by way of increased code coverage.
Of the sixteen issues identified during the audit, fifteen were resolved by the Crossplane. This includes two CVEs that were found during the audit. First, a high severity finding that could allow image tampering was issued as CVE-2023-38495, and second, a low severity Denial-of-Service finding labeled CVE-2023-37900. In summation, 7 low, 8 medium, and 1 high finding were reported. The singular unfixed issue is located in the alpha features of Crossplane.
We are so grateful to the Crossplane team for their contributions, fixes, and investment in this audit’s execution. Further thanks to ADA Logics for their report and hard work on this project with us. It’s always a pleasure to collaborate with you. Finally, we would like to express our gratitude to CNCF for their financial support of this audit and ongoing open source security work.
Read the Final Report here.
Read ADA Logic’s blog at https://adalogics.com/blog/crossplane-security-audit-2023
Read Crossplane’s blog at https://blog.crossplane.io/security-audit-2023
Read CNCF’s blog here.