Community post from the team at OSTIF

OSTIF and the CNCF are proud to announce the completion of a security audit of CubeFS. The project, which provides cloud-native storage across a variety of access protocols, was audited by the team at Ada Logics during the Fall of 2023. The security audit for CubeFS was designed to be holistic and focused on three goals- analyzing and creating a threat model with attention to risk and entry points, a SLSA review of supply-chain security, and code review for security health and vulnerabilities. 

CubeFS’s threat model was designed around the four components of the project (metadata subsystem, data subsystem, resource management, and Object Subsystem) that allow it to function on top of applications and databases deployed on Kubernetes. Detailed in the report are architectural and permission designs that form a threat model, as well as a grid of threat actors and their features. As the project is not connected to the internet, threat actors are users and code contributors or someone with those permissions. This makes the trust-flow diagram for an out-of-the-box deployment of CubeFS, like the one modeled by Ada Logics in the audit report, extremely direct and clear. 

Disclosed by the audit were seven findings with security impact, with an additional five findings that were assigned CVEs for a total of 12. Nine of the findings, including all of the CVEs, were considered Medium severity, and the other three were Low severity. The CVEs identified by this audit are CVE-2023-46738 through CVE-2023-46742. All vulnerabilities and CVEs in this audit have been fixed by CubeFS, and updated with the release of CubeFS v3.3.1. 

While notably, CubeFS has maintained its supply-chain security in certain areas, it is missing provenance in its releases. As such, it cannot earn a grade higher than 0 from SLSA. However, while this grade demonstrates areas for improvement for CubeFS, it should not be understood to be a reflection of the overall supply-chain security of the project. Excluding provenance, the project would comply with Level 3 of SLSA. Furthermore, the project maintainers have created a public issue on Github for those interested in following their work in improving their supply-chain security. 

This engagement was a step towards CNCF graduation for CubeFS, and the Ada Logics team worked hard to provide them with helpful feedback and recommendations to help the project build more securely. This project is an incredible resource for businesses and users around the world, and this global collaboration was an honor for us at OSTIF to be a part of. 

We would like to thank the team at CubeFS, specifically Leon Chang, Lei Zhang, Xiaochun He, and Baijiaruo for their clarity, expertise, and kindness over the course of this engagement. They were an extremely responsive team, and active participants in the audit in a way that benefits not just the engagement, but project users and contributors. Our gratitude is extended to Ada Logics, Adam and David Korczynski and their team, for their hard work and contributions in making this successful audit possible. Finally, this would not have been possible without the funding and support of the CNCF. Open source security work is made possible by their contributions and foundation. 

Read the audit report HERE

Read CubeFS’s blog HERE