Open Source Technology Improvement Fund (ostif.org) is thrilled to report the results of a security audit of KubeEdge. KubeEdge is an edge computing framework built on top of Kubernetes and extends native containerized application orchestration and management to hosts at the edge.
The result of this engagement is the finding and fixing of multiple medium severity issues, threat modeling, and integration to OSS Fuzz. 10 fuzzers in total were written, and these fuzzers were set up to run in the CI for pull requests. Several issues were found by the fuzzers, including 2 of the 8 CVEs.
The KubeEdge team demonstrated a strong commitment to security and was fast to reproduce crashes and respond with patches. This type of engagement and collaboration from project maintainers helps the security audit process be more effective and impactful. We thank Kevin Wang, Fisher Xu, Vincent Lin and everyone who helped with this engagement.
Thank you to the Cloud Native Computing Foundation (CNCF) for funding this audit and entrusting Open Source Technology Improvement Fund to facilitate it. Special thanks to David Korczynski and Adam Korczynski of Ada Logics for conducting the audit.
Everyone around the world depends on OSS. We’d love to do more security audits to proactively find and fix vulnerabilities! If you’re interested in financially supporting this work, contact [email protected]
FULL AUDIT REPORT: https://ostif.org/wp-content/uploads/2022/07/OSTIF-2022-Q3-KubeEdge-audit.pdf
The Ada Logics Blog: https://adalogics.com/blog/kubeedge-security-engagement
The Cloud Native Computing Foundation Blog: https://www.cncf.io/blog/2022/07/11/ostifs-audit-of-kubeedge-is-complete-multiple-security-issues-found-and-fixed/https://www.cncf.io/blog/
KubeEdge Blog: https://kubeedge.io/en/blog/security-threat-model/
KubeEdge security advisories: https://github.com/kubeedge/kubeedge/security/advisories
Information about all of our projects can be found on our Github page: https://github.com/ostif-org/OSTIF/blob/main/Completed-Engagements.md