The information applies to the following SUSE products:

- Rancher Prime
- RKE
- RKE2
- K3s
- Harvester
- Longhorn
- NeuVector

Information about the security vulnerabilities, aka CVEs (Common Vulnerabilities and Exposures), affecting container images published by SUSE Rancher Prime, and the products referred above, were listed in SUSE’s CVE database pages. Due to the amount of images that each product uses in its releases, we understand that it can be difficult for customers to easily navigate the CVE pages and to quickly identify all vulnerabilities affecting the same image or a specific release, to query certain severities or affected packages and versions, or to simply export the raw data, for example.

The SUSE Rancher Prime Security team is now publishing all critical and high severity CVEs affecting the listed products on a brand new CVE portal available in scans.rancher.com. The portal is the source of truth for all applicable CVEs on the latest version and development branches of each release line, for the specified products. Older patch versions and no longer supported (EOL) versions are not scanned. Before publishing the CVEs, known false-positives are removed with Rancher’s VEX Hub. To know more about VEX, consult the KB ‘How to use SUSE Rancher’s VEX Reports’.

Scope:

The following types of CVEs are listed in the portal:

1. CVEs that directly affect source code dependencies used by our application or in third-party upstream binaries that we import in our images. Examples of such CVEs are related to Rancher’s Go dependencies.

2. CVEs that affect OS level packages inside the container images that we use or that we mirror from third-party upstream. Examples of such CVEs are the ones affecting `curl` and `openssl` binaries.
   

Note: for public CVEs that were reported and affect directly Rancher Prime’s source-code (i.e., CVEs at our application layer), consult them in Rancher’s security documentation page.

The reports and the public pages are updated daily from static HTML pages generated in the public rancher/scans repository. All the data is provided by SUSE under the Creative Commons license with Attribution (CC-BY-4.0). The reports are generated from an internal CVE scanning automation, running Trivy, developed by the SUSE Rancher Prime Security team.

For convenience, especially for those running on air-gap environments, all the files available in the repository (inside the docs directory) can be downloaded and browsed locally. 

Although internally we track all severities of CVEs, for the moment we are only reporting publicly critical and high severity security issues that are considered applicable and affecting our images. Known false-positives CVEs that were removed with VEX aren’t listed for obvious reasons. If you want to know more about how we triage CVEs in software dependencies, consult the KB ‘SUSE Rancher’s CVE Triage Workflow for Software Dependencies’.

Note about ETAs for CVE fixes:

The CVE portal doesn’t provide a date (ETA) for when the listed CVEs will be fixed.

How to use the CVE portal

The main page of the CVE portal lists all the versions of SUSE Rancher products that are scanned. Each version contains links to 3 types of results:

• The first link points to the page that lists all of the CVEs in the respective product and version.

• The second link contains a raw CSV report of the CVEs with full details.

• The third link contains a summary of the CVEs per image, inside that respective product and version, aggregated per severity and in CSV format.

In the main CVE results page, it’s possible to visualize in detail all the CVEs affecting the product and version. The page contains a search field that allows to search the CVEs by all of the fields presented in the header of the CVE table:  image, with and without the tag version; if the image is mirrored or not (true/false); release; affected package name; affected package version; vulnerability type, related to the programming language, for example, gobinary, or container OS; vulnerability ID - CVE, GHSA, SUSE-SU etc.; severity; and target, the actual affected binary.

Considerations

• A mirrored image means an image that is pulled as is from its third-party upstream developer without any modifications being made by SUSE. Examples of mirrored images are CNI and SIG related images made by the Kubernetes project. Such images have the mirrored- identifier (with a dash) in their name.

• It might be the case that the CVE that you scanned and identified is already fixed in one of the development versions. First search if the CVE is still present in the latest development version (head, dev or master) of the release line that you are using. Due to the immutability principle in container images, CVEs are only fixed in the current development versions, not in older released versions and tags.

• SUSE follows the industry standard CVSS (Common Vulnerability Scoring System) to perform vulnerability management and assess the rating of CVEs. The framework measures the severity of a given vulnerability, not the associated risk alone. The scoring of any vulnerability may vary with different analysts hence the final score could be slightly different between vendors impacted by that vulnerability.

• The severity (CVSS rating) of some CVEs in the portal might differ from the original severity reported by some vendors and security scanners. This happens, because SUSE recalculates the CVSS rating of CVEs based on criteria, like: applicability and difficulty of the issue being exploited in the wild; how it can actually affect the confidentiality, integrity and availability of SUSE’s products etc. CVEs that had their CVSS severity rating changed, either decreased or increased, will have a distinctive tag in the portal.

• Given that an image’s version and tag is updated between an already released version and the current development version, first search only by the image name without its tag. Otherwise the exact version of the image that you are searching for might not show in the results, because it was already bumped and updated in the current development version.