Is stunner FedRamp compliant?
Closed this issue ยท 11 comments
Just a random question, does any body know if stunner will be approved to run in AWS FedRamp and then pass the audit? Any thoughts would be welcomed.
Currently there's no plan due to a lack of resources and financing, but we're not against it at all if there is a strong interest. Could you please give us motivations to go down that path? Is the lack if an audit blocking you from adopting STUNner?
Could you please give us motivations to go down that path?
We are just exploring what to use for our new feature, we wanted to go with Coturn to run our own infrastructure for WebRTC, but we want the flexibility of what Stunner offers in k8s. So, we are just exploring our options at this point.
Is the lack if an audit blocking you from adopting STUNner?
no, nothing is blocking us at the moment, I'm thinking ahead of what might block us, I'll let you know if there will be any issues with the audit, if we got with STUNner.
Thanks. One minor note: if you aim to deploy into Kubernetes then don't mess with coturn, STUNner is much better suited for anything cloud-native. So the question is not "coturn vs STUNner", but rather "shall we use Kubernetes for hosting our WebRTC service"? If the answer is no then coturn may be the better option. But if it's Kubernetes, then supporting coturn (let alone automatically scaling) will be an endless pain.
Just my (biased) 2 cents of course.
Feel free to reopen if anything new comes up. We really need your input on this
if you aim to deploy into Kubernetes then don't mess with coturn, STUNner is much better suited for anything cloud-native. So the question is not "coturn vs STUNner", but rather "shall we use Kubernetes for hosting our WebRTC service"? If the answer is no then coturn may be the better option. But if it's Kubernetes, then supporting coturn (let alone automatically scaling) will be an endless pain.
Exactly, we want to have it running in k8s for several reasons (start new project in a container environment as well as make a POC of k8s internally using this).
Feel free to reopen if anything new comes up. We really need your input on this
Definitely, will get back to you once things progress and if/when will do the assessment I'll update you.
Do you happen to have an example for the k8s manifest file that will setup STUNner similarly to coturn where two clients will be connected from anywhere? and we will have many clients connected. I got something working so far, but still trying to learn how STUNner work and also how k8s work, this is a new thing our company want to experiment.
This is what I have so far. Do you see any issues with this setup?:
apiVersion: v1
kind: Namespace
metadata:
name: stunner
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: stunner-gatewayclass
spec:
controllerName: "stunner.l7mp.io/gateway-operator"
parametersRef:
group: "stunner.l7mp.io"
kind: GatewayConfig
name: stunner-gatewayconfig
namespace: stunner
description: "STUNner is a WebRTC media gateway for Kubernetes"
---
apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig
metadata:
name: stunner-gatewayconfig
namespace: stunner
spec:
realm: stunner.l7mp.io
authRef:
name: stunner-auth-secret
namespace: stunner
---
apiVersion: v1
kind: Secret
metadata:
name: stunner-auth-secret
namespace: stunner
type: Opaque
stringData:
type: "ephemeral"
secret: "VERYSECURESTRING"
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: udp-gateway
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners:
- name: udp-listener
port: 3478
protocol: TURN-UDP
- name: tcp-listener
port: 3479
protocol: TURN-TCP
---
apiVersion: stunner.l7mp.io/v1
kind: StaticService
metadata:
name: static-svc
namespace: stunner
spec:
prefixes:
- "0.0.0.0/0"
---
apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
name: media-plane-route
namespace: stunner
spec:
parentRefs:
- name: udp-gateway
- name: tcp-gateway
rules:
- backendRefs:
- name: static-svc
namespace: stunner
This setup will work only if you want to deploy STUNner over a public IP, but then you will have to deploy the dataplane into the host-network namespace like this:
apiVersion: stunner.l7mp.io/v1
kind: Dataplane
metadata:
name: default
spec:
command:
- stunnerd
args:
- -w
- --udp-thread-num=32
image: l7mp/stunnerd:dev
hostNetwork: true
resources:
limits:
cpu: 6 # make this as big as your nodes support
memory: 2Gi # ditto
requests:
cpu: 6 # ditto
memory: 2Gi # ditto
However, this is not the way most people deploy STUNner and very often it may not work as expected (in Kubernetes you never run pods on public IPs: it's not needed). So we recommend a better model that we call symmetric ICE mode: let all clients create a TURN allocation and let STUNner connect them. For this you don't need public IPs at all (apart from the single IP provided by the cloud load-balancer that is shared by all STUNner pods). Here is a detailed walkthrough to implement this.
Hi @maksimu,
Just a couple of comments from my side, maybe it will help you during your planning.
But first of all, let me state that the whole STUNner team is from the EU, so in general we have a very shallow knowlege with US public regulations :)
From the information I found about FedRAMP, I can say the following: FedRAMP is standardized security assessment, authorization, and continuous monitoring process for Cloud Service Provider (CSP), when they want to offer their managed services for US public entities. In our case, I feel this does not apply for STUNner, since we do not offer (yet :) ) a managed cloud service based on STUNner.
I image that you would use STUNner in a Kubernetes environment running inside one of the major cloud providers: AWS, Azure or GCP, all these are FedRAMP complient.
Then the question comes down to whether you can use STUNner as an open source project inside that Kubernetes environment. From what I could find on the internet, an open-source project should follow security best practices and adhere to relevant security standards defined by NIST so that a US public entity could use it.
This NIST standard has many things defined, but a couple of relevant issues here:
- The project should have a permissive and well-known open-source license, ensuring that it can be used and modified without legal issues (e.g. Apache2 or MIT).
- Regularly scanning for and patching known vulnerabilities helps mitigate the risk of exploitation
On the license part STUNner is good to go, since we use MIT, whereas Coturn uses a non-standard license, so you might need to take a look on that.
On the vulnerabilities part I can also say that we're regulary do container scans on the latest relases and they do not have any know vulnerabilities (and probably we sould do a better job in publish these results). Whereas in Cotur's case, the latest release does contain some high risk vulnerabilities. Here are some scan results using Trivy:
controlplane $ trivy image l7mp/stunnerd
2024-02-09T08:33:59.831Z INFO Number of language-specific files: 0
controlplane $ trivy image l7mp/stunner-gateway-operator
2024-02-09T08:34:05.249Z INFO Detected OS: debian
2024-02-09T08:34:05.250Z INFO Detecting Debian vulnerabilities...
2024-02-09T08:34:05.253Z INFO Number of language-specific files: 0
l7mp/stunner-gateway-operator (debian 11.8)
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
controlplane $ trivy image coturn/coturn
2024-02-09T08:34:22.424Z INFO Detected OS: debian
2024-02-09T08:34:22.425Z INFO Detecting Debian vulnerabilities...
2024-02-09T08:34:22.452Z INFO Number of language-specific files: 0
coturn/coturn (debian 12.4)
===========================
Total: 76 (UNKNOWN: 8, LOW: 60, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.6.1 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| bsdutils | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | | 9.1-1 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-18018 | | | | coreutils: race condition |
| | | | | | vulnerability in chown and chgrp |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| gcc-12-base | CVE-2022-27943 | | 12.2.0-14 | | binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libapt-pkg6.0 | CVE-2011-3374 | | 2.6.1 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libatomic1 | CVE-2022-27943 | | 12.2.0-14 | | binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libblkid1 | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2010-4756 | | 2.36-9+deb12u3 | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-20796 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010022 | | | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+------------------+------------------+ + +---------------+-----------------------------------------+
| libc6 | CVE-2010-4756 | | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-20796 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010022 | | | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgcc-s1 | CVE-2022-27943 | | 12.2.0-14 | | binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgcrypt20 | CVE-2018-6829 | | 1.10.1-3 | | libgcrypt: ElGamal implementation |
| | | | | | doesn't have semantic security due |
| | | | | | to incorrectly encoded plaintexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-6829 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgnutls30 | CVE-2011-3389 | | 3.7.9-2+deb12u1 | | HTTPS: block-wise chosen-plaintext |
| | | | | | attack against SSL/TLS (BEAST) |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3389 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2004-0971 | | 1.20.1-2+deb12u1 | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-5709 | | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+------------------+------------------+ + +---------------+-----------------------------------------+
| libk5crypto3 | CVE-2004-0971 | | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-5709 | | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+------------------+------------------+ + +---------------+-----------------------------------------+
| libkrb5-3 | CVE-2004-0971 | | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-5709 | | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+------------------+------------------+ + +---------------+-----------------------------------------+
| libkrb5support0 | CVE-2004-0971 | | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-5709 | | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libldap-2.5-0 | CVE-2015-3276 | | 2.5.13+dfsg-5 | | openldap: incorrect multi-keyword |
| | | | | | mode cipherstring parsing |
| | | | | | -->avd.aquasec.com/nvd/cve-2015-3276 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-14159 | | | | openldap: Privilege escalation |
| | | | | | via PID file manipulation |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14159 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-17740 | | | | openldap: |
| | | | | | contrib/slapd-modules/nops/nops.c |
| | | | | | attempts to free stack buffer |
| | | | | | allowing remote attackers to cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17740 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-15719 | | | | openldap: Certificate |
| | | | | | validation incorrectly |
| | | | | | matches name against CN-ID |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15719 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libmount1 | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+ + + +---------------+ +
| libsmartcols1 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libsqlite3-0 | CVE-2021-45346 | | 3.40.1-2 | | sqlite: crafted SQL query |
| | | | | | allows a malicious user to |
| | | | | | obtain sensitive information... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45346 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libssl3 | CVE-2023-0286 | HIGH | 3.0.11-1~deb12u2 | | X.400 address type confusion |
| | | | | | in X.509 GeneralName |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0286 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2022-4304 | MEDIUM | | | Timing Oracle in RSA Decryption |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-4304 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-4450 | | | | Double free after |
| | | | | | calling PEM_read_bio_ex |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-4450 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0215 | | | | Use-after-free |
| | | | | | following BIO_new_NDEF |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0215 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-6755 | LOW | | | Dual_EC_DRBG: weak pseudo |
| | | | | | random number generator |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-6755 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-0928 | | | | openssl: RSA authentication weakness |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-0928 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2022-4203 | UNKNOWN | | | -->avd.aquasec.com/nvd/cve-2022-4203 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0216 | | | | -->avd.aquasec.com/nvd/cve-2023-0216 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0217 | | | | -->avd.aquasec.com/nvd/cve-2023-0217 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0401 | | | | -->avd.aquasec.com/nvd/cve-2023-0401 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libstdc++6 | CVE-2022-27943 | LOW | 12.2.0-14 | | binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libsystemd0 | CVE-2013-4392 | | 252.19-1~deb12u1 | | systemd: TOCTOU race condition |
| | | | | | when updating file permissions |
| | | | | | and SELinux security contexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 |
+------------------+ + + +---------------+ +
| libudev1 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libuuid1 | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| login | CVE-2007-5686 | | 1:4.13+dfsg1-1 | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-19882 | | | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0634 | | | | An uncontrolled process |
| | | | | | operation was found in the |
| | | | | | newgrp command provided by... |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0634 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| mount | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| openssl | CVE-2023-0286 | HIGH | 3.0.11-1~deb12u2 | | X.400 address type confusion |
| | | | | | in X.509 GeneralName |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0286 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2022-4304 | MEDIUM | | | Timing Oracle in RSA Decryption |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-4304 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-4450 | | | | Double free after |
| | | | | | calling PEM_read_bio_ex |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-4450 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0215 | | | | Use-after-free |
| | | | | | following BIO_new_NDEF |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0215 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-6755 | LOW | | | Dual_EC_DRBG: weak pseudo |
| | | | | | random number generator |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-6755 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-0928 | | | | openssl: RSA authentication weakness |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-0928 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2022-4203 | UNKNOWN | | | -->avd.aquasec.com/nvd/cve-2022-4203 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0216 | | | | -->avd.aquasec.com/nvd/cve-2023-0216 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0217 | | | | -->avd.aquasec.com/nvd/cve-2023-0217 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0401 | | | | -->avd.aquasec.com/nvd/cve-2023-0401 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| passwd | CVE-2007-5686 | LOW | 1:4.13+dfsg1-1 | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-19882 | | | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2023-0634 | | | | An uncontrolled process |
| | | | | | operation was found in the |
| | | | | | newgrp command provided by... |
| | | | | | -->avd.aquasec.com/nvd/cve-2023-0634 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| perl-base | CVE-2011-4116 | | 5.36.0-7+deb12u1 | | perl: File::Temp insecure |
| | | | | | temporary file handling |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-4116 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| tar | CVE-2005-2541 | | 1.34+dfsg-1.2 | | tar: does not properly warn the user |
| | | | | | when extracting setuid or setgid... |
| | | | | | -->avd.aquasec.com/nvd/cve-2005-2541 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-48303 | | | | tar: a heap buffer overflow |
| | | | | | at from_header() in list.c |
| | | | | | via specially crafter... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-48303 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| util-linux | CVE-2022-0563 | | 2.38.1-5 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+ + + +---------------+ +
| util-linux-extra | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
I hope this helps a bit.
Hi @Megzo
Thank you for the info. Updating libraries and other things is one thing, but as I remember we also had to make sure our backed should be FIPS compliant, which means that you will have to have cryptography libraries fips compliant (don't have old encryptions, etc.). For example, Coturn in v4.6.2 had to make some changes to the openssl.
So, for now we are using Coturn since we had our POC servers running it. but there is scalability nor monitoring, for now I'll be manually making sure things are working. Plus our DevOps is not comfortable with K8s.
But I'm really trying to push STUNner as I believe in its capabilities.
Regarding pushing to FedRamp, I'm just making some research in general, it will take us long time to get anything into that environment, but I'll keep you posted.
oh and while I have you on the "line" can you check this setup to see if I'm missing anything. I've tried to make a quick run in EKS, but it didn't work and I didn't have much time to debug to figure out what is going on.
apiVersion: v1
kind: Namespace
metadata:
name: stunner
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass # Official doc: https://docs.l7mp.io/en/latest/GATEWAY/#gatewayclass
metadata:
name: stunner-gatewayclass
spec:
controllerName: "stunner.l7mp.io/gateway-operator"
parametersRef:
group: "stunner.l7mp.io"
kind: GatewayConfig
name: stunner-gatewayconfig
namespace: stunner
description: "STUNner is a WebRTC media gateway for Kubernetes"
---
apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig
metadata:
name: stunner-gatewayconfig
namespace: stunner
spec:
logLevel: "all:DEBUG,turn:DEBUG"
realm: connect.keepersecurity.com
authRef:
name: stunner-auth-secret
namespace: stunner
---
apiVersion: v1
kind: Secret
metadata:
name: stunner-auth-secret
namespace: stunner
type: Opaque
stringData:
type: "ephemeral"
secret: "SecretString123"
---
# Gateways describe the STUN/TURN server listeners exposed to clients.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: udp-gateway
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners: # Listener config docs: https://docs.l7mp.io/en/latest/GATEWAY/#listener-configuration
- name: udp-listener
port: 3478
protocol: TURN-UDP
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tcp-gateway
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners:
- name: tcp-listener
port: 3478
protocol: TURN-TCP
---
apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
name: stunner-headless
namespace: stunner
spec:
parentRefs:
- name: udp-gateway
- name: tcp-gateway
rules:
- backendRefs:
- name: stunner
namespace: stunner
---
# make sure the stunner service exists, otherwise the above route will be useless
apiVersion: v1
kind: Service
metadata:
name: stunner
namespace: stunner
spec:
selector:
app: stunner
ports:
- name: stunner-port-3478-udp
port: 3478
protocol: UDP
targetPort: 3478
# - name: stunner-port-3478-tcp
# port: 3478
# protocol: TCP
# targetPort: 3478
type: ClusterIP
# Info about the cluster:
# kubectl get gatewayconfigs,gateways,udproutes.stunner.l7mp.io -n stunner
if I can prove to our DevOps that we can run STUNner as easy as just deploying this kind of file, then we might just go with it.
Thank you
Hi @maksimu !
At first glance, your config looks correct. Since you mentioned you are using EKS, my guess is that the AWS-specific load balancer annotations are missing thus UDP LoadBalancer services are not working. Some pointers here: #32 and here: https://discord.com/channels/945255818494902282/1176557763585916978/1184414645038092330
that did it! Thank you!