OSTIF is happy to announce the completion of Knative’s security audit. The audit covered the core sub projects of Knative: Eventing, Serving and Pkg with minor focus on Knative extensions, Func and Security-Guard. The audit was a holistic audit, covering different aspects of Knative’s security including threat modeling, manual code auditing and supply-chain risks. The engagement was conducted by Ada Logics who maintained close collaboration with the Knative maintainers. The audit was made possible with funding by the Cloud Native Computing Foundation.
Ada Logics found 16 security issues ranging from Informational to High in severity. One of these issues was a vulnerability in Knative Serving that could allow an attacker with an already escalated position in a Knative deployment to cause denial of service of core components of the compromised deployment. The issue was assigned CVE-2023-48713 of Moderate severity, and the Knative maintainers have fixed the vulnerability in Serving v1.12.0 and v1.11.3.
The remaining found issues range in nature from security-relevant documentation to encourage community-driven security work to supply-chain issues and other code issues. The audit found supply-chain issues both at the code level in multiple Knative sub projects as well as in Knatives software development life cycle. The former could allow attackers who have compromised Knatives supply-chain to escalate their position into the Knative users system; regarding the latter – Knative’s software development life cycle – Ada Logics found that Knative can drastically mitigate its supply-chain risk by adding a verifiable provenance to its releases. This will ensure tamper-resistance in a manner that allows Knative consumers to inspect their Knative workloads and ensure they consume their intended artifacts.
The audit found that Knative has set up a good SAST suite for Serving, Eventing and Pkg – Knatives core sub projects, but that other projects like Security-Guard and the Knative extensions were missing a similar set up. During the audit, Ada Logics found issues that a similar SAST suite would have caught in Security-Guard and the Knative Extensions. As such, the auditors recommend maintaining a SAST suite similar to Serving’s, Eventing’s and Pkg’s for the entire Knative ecosystem. It should be noted that the core sub projects, Serving, Eventing and Pkg, are the most mature projects in the Knative ecosystem and that many of the Knative Extensions project and Security-Guard are in Alpha or Beta or not used in production yet.
We would like to thank Evan Anderson and David Hadas with Knative as well as the team of maintainers who worked with this engagement for their time, efforts, and commitment to the success of this audit. Further thanks to the Ada Logics team for their hard work and contributions to this project, the audit, and security efforts in open source. Their continued work with OSTIF and the CNCF is an incredible resource and aid to the community. Finally, we would like to thank the Cloud Native Computing Foundation for their financial and administrative support of this and many other open source security audits this year.
Read the audit report HERE
Read Knative’s blog HERE