Introducing Falco 0.36.1

Today we announce the release of Falco 0.36.1 🦅!

Fixes

Falco's 0.36.1 release is a small patch aimed at protecting our uses by addressing a few minor bugs. It includes the following:

• Address a HIGH severity vulnerability in libcurl CVE-2023-38545, bumping the library to the patched version 8.4.0. You can find more details in the section below.
• The legacy eBPF probe can now handle systems with CPU hotplug enabled, opening the right number of kernel buffers. (https://github.com/falcosecurity/falco/issues/2843)
• Remove a no longer useful experimental Falco config outputs_queue.recovery. This was introduced in Falco 0.36.0 as an experiment.
• Fix a possible segfault caused by a faulty implementation of timer_delete. (https://github.com/falcosecurity/falco/issues/2850)

Thanks to everyone in the community for helping us in spotting these annoying bugs 🐛! You make Falco successful 🦅!

Thanks as always to the Falco maintainers for their support and effort during the entire release process.

Vulnerability in libcurl

A HIGH severity vulnerability in libcurl, CVE-2023-38545, was disclosed alongside a patched version (8.4.0). We would like to answer the main question you might have about it: Does it affect Falco?

According to the excellent in-depth description of the bug, this can only be triggered if both conditions below are true:

• A SOCKS5 HTTP(S) proxy has been configured. This happens if you have set the standard environment variables that control proxy connections, such as http_proxy/https_proxy/no_proxy or libcurl-specific ones as indicated in the advisory or the libcurl documentation.
• An attacker controls the server that Falco is connecting to, namely the server configured to receive http_output or a custom prebuilt driver repository server, and the SOCKS5 proxy is "slow enough" to allow the attack to happen.

While it may be rare that users have an exploitable environment, it's still a possibility. For this reason, Falco maintainers decided to ship this patch release 🦅

Try it! 🏎️

As usual, in case you just want to try out the stable Falco 0.36.1, you can install its packages following the process outlined in the docs:

• CentOS/Amazon Linux
• Debian/Ubuntu
• openSUSE
• Linux binary package

Prefer to use a container image? No problem at all! 🐳

You can read more about running Falco with Docker in the docs.

You can also find the Falcosecurity container images on the public AWS ECR gallery:

• falco
• falco-no-driver
• falco-driver-loader

What next? 🔮

The community is active on many topics and we hope to deliver great features and many stability fixes once again during the next release cycle!

• The old falco-driver-loader script is showing its age and it's time to work on a more maintainable solution. falcoctl is a great candidate to host everything driver related, implement new features and make our lives easier when we need to install Falco drivers on a new machine.
• Lately we have expanded the syscall coverage that Falco can provide. We wish to improve these efforts across all drivers with even more 32 bit syscalls.
• Our rule framework is brand new and we forsee many improvements and active development work on it.
• The latest Falco versions brought many improvements to the plugin framework; we wish to use those to create a more scalable Kubernetes client plugin that will be able to withstand much heavier loads and will be easier to maintain.

And many, many, more enhancements!

Let's meet 🤝

We meet every Wednesday in our community calls, if you want to know the latest and the greatest you should join us there!

If you have any questions

• Join the #falco channel on the Kubernetes Slack
• Join the Falco mailing list

Thanks to all the amazing contributors!

Cheers 🎊

Andrea, Luca

• ←Previous
Next→