GHSA-7xg2-83f8-39mr: 
vulnerability analysis and mitigation

The vulnerability (GHSA-7xg2-83f8-39mr) involves the use of DES/3DES cipher as part of the TLS protocol in Karmada components deployed with karmadactl, karma-operator, and helm chart. The affected components include karmada-apiserver, karmada-aggregated-apiserver, karmada-search, karmada-metrics-adapter, and etcd, in versions prior to 1.8.0. This vulnerability is related to CVE-2016-2183 (Sweet32), though the risk of exploitation is considered low (GitHub Advisory).

The vulnerability stems from Karmada components using Golang's default cipher suites, which include the insecure 3DES algorithm. While the 3DES algorithm vulnerability is considered unlikely to be exploited according to discussions in the Golang community, the security concern warranted addressing. The issue affects the TLS configuration of multiple Karmada components across different installation methods (Karmada Issue).

The use of DES/3DES cipher in TLS connections potentially exposes the affected components to the Sweet32 vulnerability (CVE-2016-2183). While the practical impact is considered low, it could potentially affect the security of TLS connections in Karmada deployments (GitHub Advisory).

The vulnerability has been patched in Karmada v1.8.0, where the default minimum TLS version for affected components is set to TLS1.3. For users unable to upgrade, temporary workarounds include manually setting the --tls-min-version parameter to TLS 1.3 for affected components, or explicitly configuring --cipher-suites to use secure algorithms. The patch also implements specific secure cipher suites for etcd (GitHub Advisory).