Crossplane completes fuzzing security audit

Crossplane is happy to announce the successful completion of our fuzzing security audit. The work was carried out by the team at Ada Logics, supported by Crossplane contributor Philippe Scorsolini, and was sponsored by the CNCF as part of an initiative to bring fuzzing to the CNCF landscape. The audit resulted in the authoring of 13 fuzzers and found 4 issues within two key Crossplane projects.

One of the issues found was a security issue that affected the core Crossplane project and its key dependency crossplane-runtime. Two CVE’s were assigned for this issue:

  • CVE-2023-27483
  • CVE-2023-27484

The full report for the audit can be found in the security folder of the Crossplane repository.

What is Crossplane?

Crossplane is a framework for building cloud native control planes without needing to write code. It has a highly extensible backend (providers) that enables you to build a control plane that can orchestrate applications and infrastructure no matter where they run, and a highly configurable frontend (compositions) that puts you in control of the schema of the declarative API it offers.

Crossplane is currently an Incubation level project in the CNCF.  While the project has reached a stable v1 milestone and has been declared ready for production deployments, Crossplane will continue to mature and harden.  A key part of this maturation process is partnering with the CNCF and Ada Logics to improve our security posture, identify vulnerabilities, and ensure they are responsibly disclosed and fixed. The investment into fuzzing described in this post is a key portion of our overall security effort, and is the start of much more to come.

What is Fuzzing?

Fuzzing is a technique for testing software, whereby pseudo-random data is passed to an application with the purpose of finding bugs and security vulnerabilities. The pseudo-random data is created by a fuzzing engine and is not really random; The fuzzing engine will generate and store inputs - also called “testcases” - that explore new coverage in the target application and mutate over these to generate new inputs. Fuzzing has proven effective in finding reliability bugs and security vulnerabilities in a vast range of different types of software projects including many other CNCF-hosted projects.

An important element of a strong fuzzing suite is the element of continuity; It is crucial that the fuzzers run continuously. To achieve this, Crossplane integrated into OSS-Fuzz project which is an open source project by Google that offers critical open source projects to run their fuzzers continuously and notify the maintainers of the project if any bugs are found. OSS-Fuzz runs the fuzzers with excessive resources and keeps running the fuzzers as long as the projects are integrated.  Ada Logics integrated Crossplane into OSS-Fuzz at the beginning of the audit, so that the fuzzers would run continuously during the audit itself as well as after it had concluded.

Issues found

The fuzzing suite found 4 issues during the fuzzing audit. One of these issues was a security vulnerability that allowed a partially-untrusted user to control the amount of memory crossplane-runtime would allocate at a certain state which can lead to a denial of service by way of resource exhaustion. The issue affected both crossplane-runtime and Crossplane, and the Crossplane team created two advisories for the issue:

The fix for this vulnerability was released to the public as a set of patch releases for all supported Crossplane versions, including the most recent releases of crossplane-runtime v0.19.2 and Crossplane v1.11.2.

How to get involved

Crossplane is a community driven project and we welcome you to join the community and contribute through a variety of opportunities, such as opening and commenting on issues, joining the community meetings, sharing your adoption story, and providing feedback on design docs and pull requests.

In the area of security specifically, we encourage and greatly appreciate vulnerability reports to be disclosed following our security disclosure process.

We love to hear from the community, as they are exactly what makes this project great. Whether you are a developer, user, or just interested in what we're up to, feel free to join us via one of the following methods:

Keep up with Upbound

* indicates required