chewong
commented
2 years ago For MIC, I'd suggest upgrading to at least 1.8.4 for Go 1.17 support. I am working on upgrading the project to use Go 1.18 and we can cut v1.8.9 after that is merged.
Closed rupendra-kpmg closed 2 years ago
chewong
commented
2 years ago For MIC, I'd suggest upgrading to at least 1.8.4 for Go 1.17 support. I am working on upgrading the project to use Go 1.18 and we can cut v1.8.9 after that is merged.
rupendra-kpmg
commented
2 years ago I upgraded MIC to 1.8.4 and submitted for scan. thanks.
Whwn will be NMI vulnerabilites will fix ?
rupendra-kpmg
commented
2 years ago @chewong
NMI needs update with xz-utills and gzip, any suggestions ?
chewong
commented
2 years ago Could you try mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4.4? It's our fourth revision of v1.8.4, which should patch those packages.
rupendra-kpmg
commented
2 years ago @chewong
NMI:v1.8.4.4 :-(
-------- Begin on caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.4 ---------
Scan results for: image caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.4 sha256:e2d79af17935beb33af19b66745e85a910772ef75cb52b3e8434a3556ee2c483
Vulnerabilities
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | TRIGGERED FAILURE |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2021-38297 | critical | 9.80 | go | 1.17.1 | fixed in 1.17.2, 1.16.9 | > 6 months | < 1 hour | Go before 1.16.9 and 1.17.x before 1.17.2 has a | No |
| | | | | | > 6 months ago | | | Buffer Overflow via large arguments in a function | |
| | | | | | | | | invocation from a WASM module, when GOARCH=wasm | |
| | | | | | | | | GOOS... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-23806 | critical | 9.10 | go | 1.17.1 | fixed in 1.17.7, 1.16.14 | 88 days | < 1 hour | Curve.IsOnCurve in crypto/elliptic in Go before | No |
| | | | | | 88 days ago | | | 1.16.14 and 1.17.x before 1.17.7 can incorrectly | |
| | | | | | | | | return true in situations with a big.Int value | |
| | | | | | | | | that i... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2018-12886 | high | 8.10 | gcc-8 | 8.3.0-6 | open | > 2 years | < 1 hour | stack_protect_prologue in cfgexpand.c and | No |
| | | | | | | | | stack_protect_epilogue in function.c in GNU | |
| | | | | | | | | Compiler Collection (GCC) 4.1 through 8 (under | |
| | | | | | | | | certain circumsta... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-28327 | high | 7.50 | go | 1.17.1 | fixed in 1.18.1, 1.17.9 | 20 days | < 1 hour | The generic P-256 feature in crypto/elliptic in | No |
| | | | | | 20 days ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a | |
| | | | | | | | | panic via long scalar input. | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-24921 | high | 7.50 | go | 1.17.1 | fixed in 1.17.8, 1.16.15 | 65 days | < 1 hour | regexp.Compile in Go before 1.16.15 and 1.17.x | No |
| | | | | | 65 days ago | | | before 1.17.8 allows stack exhaustion via a deeply | |
| | | | | | | | | nested expression. | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-24675 | high | 7.50 | go | 1.17.1 | fixed in 1.18.1, 1.17.9 | 20 days | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before | No |
| | | | | | 20 days ago | | | 1.18.1 has a Decode stack overflow via a large | |
| | | | | | | | | amount of PEM data. | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-23773 | high | 7.50 | go | 1.17.1 | fixed in 1.17.7, 1.16.14 | 88 days | < 1 hour | cmd/go in Go before 1.16.14 and 1.17.x before | No |
| | | | | | 88 days ago | | | 1.17.7 can misinterpret branch names that falsely | |
| | | | | | | | | appear to be version tags. This can lead to | |
| | | | | | | | | incorrect ... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2022-23772 | high | 7.50 | go | 1.17.1 | fixed in 1.17.7, 1.16.14 | 88 days | < 1 hour | Rat.SetString in math/big in Go before 1.16.14 and | No |
| | | | | | 88 days ago | | | 1.17.x before 1.17.7 has an overflow that can lead | |
| | | | | | | | | to Uncontrolled Memory Consumption. | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2021-44716 | high | 7.50 | go | 1.17.1 | fixed in 1.17.5, 1.16.12 | > 4 months | < 1 hour | net/http in Go before 1.16.12 and 1.17.x before | No |
| | | | | | > 4 months ago | | | 1.17.5 allows uncontrolled memory consumption | |
| | | | | | | | | in the header canonicalization cache via HTTP/2 | |
| | | | | | | | | requests... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2021-41772 | high | 7.50 | go | 1.17.1 | fixed in 1.17.3, 1.16.10 | > 6 months | < 1 hour | Go before 1.16.10 and 1.17.x before 1.17.3 allows | No |
| | | | | | > 6 months ago | | | an archive/zip Reader.Open panic via a crafted | |
| | | | | | | | | ZIP archive containing an invalid name or an empty | |
| | | | | | | | | fi... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2021-41771 | high | 7.50 | go | 1.17.1 | fixed in 1.17.3, 1.16.10 | > 6 months | < 1 hour | ImportedSymbols in debug/macho (for Open or | No |
| | | | | | > 6 months ago | | | OpenFat) in Go before 1.16.10 and 1.17.x before | |
| | | | | | | | | 1.17.3 Accesses a Memory Location After the End of | |
| | | | | | | | | a Buffe... | |
+----------------+----------+------+---------+---------+--------------------------+------------+------------+----------------------------------------------------+-------------------+
Vulnerabilities found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.4: total - 11, critical - 2, high - 9, medium - 0, low - 0
Vulnerability threshold check results: PASS
Compliance found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.4: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS
Link to the results in Console: https://app2.eu.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search=sha256%3Ae2d79af17935beb33af19b66745e85a910772ef75cb52b3e8434a3556ee2c483
-------- End on caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.4 ---------
We won't able to fix these go-related vulnerabilities since we don't rebuild v1.8.4 with the newer go version. The only solution is to upgrade NMI to the latest version (v1.8.8). We will also release v1.8.9 soon for Go 1.18 support.
rupendra-kpmg
commented
2 years ago We won't able to fix these go-related vulnerabilities since we don't rebuild v1.8.4 with the newer go version. The only solution is to upgrade NMI to the latest version (v1.8.8). We will also release v1.8.9 soon for Go 1.18 support.
If we just update the Image version it should be fine, we dont need to update PodIdentity configuration correct ? or if you have any document for reference.
chewong
commented
2 years ago If you are using helm to install aad-pod-identity, you can run helm upgrade. Otherwise, you can find the release manifests in https://github.com/Azure/aad-pod-identity/releases and run kubectl apply -f
rupendra-kpmg
commented
2 years ago @chewong
-------- Begin on caacrsofidevuat.azurecr.io/base/nmi:v1.8.8 ---------
Scan results for: image caacrsofidevuat.azurecr.io/base/nmi:v1.8.8 sha256:4fe3538bcbef4582f4a42a90b216698aeb8cfb9c701326b8a382f17a030fc4b3 Vulnerabilities +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | TRIGGERED FAILURE | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-1292 | critical | 9.80 | openssl | 1.1.1n-0+deb11u1 | open | 8 days | < 1 hour | The c_rehash script does not properly sanitise | No | | | | | | | | | | shell metacharacters to prevent command injection. | | | | | | | | | | | This script is distributed by some operating | | | | | | | | | | | systems... | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-23806 | critical | 9.10 | go | 1.17.3 | fixed in 1.17.7, 1.16.14 | 90 days | < 1 hour | Curve.IsOnCurve in crypto/elliptic in Go before | No | | | | | | | 90 days ago | | | 1.16.14 and 1.17.x before 1.17.7 can incorrectly | | | | | | | | | | | return true in situations with a big.Int value | | | | | | | | | | | that i... | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-28327 | high | 7.50 | go | 1.17.3 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | The generic P-256 feature in crypto/elliptic in | No | | | | | | | 22 days ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a | | | | | | | | | | | panic via long scalar input. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-28327 | high | 7.50 | go | 1.17.8 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | The generic P-256 feature in crypto/elliptic in | No | | | | | | | 22 days ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a | | | | | | | | | | | panic via long scalar input. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-24921 | high | 7.50 | go | 1.17.3 | fixed in 1.17.8, 1.16.15 | 67 days | < 1 hour | regexp.Compile in Go before 1.16.15 and 1.17.x | No | | | | | | | 67 days ago | | | before 1.17.8 allows stack exhaustion via a deeply | | | | | | | | | | | nested expression. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-24675 | high | 7.50 | go | 1.17.8 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before | No | | | | | | | 22 days ago | | | 1.18.1 has a Decode stack overflow via a large | | | | | | | | | | | amount of PEM data. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-24675 | high | 7.50 | go | 1.17.3 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before | No | | | | | | | 22 days ago | | | 1.18.1 has a Decode stack overflow via a large | | | | | | | | | | | amount of PEM data. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-23773 | high | 7.50 | go | 1.17.3 | fixed in 1.17.7, 1.16.14 | 90 days | < 1 hour | cmd/go in Go before 1.16.14 and 1.17.x before | No | | | | | | | 90 days ago | | | 1.17.7 can misinterpret branch names that falsely | | | | | | | | | | | appear to be version tags. This can lead to | | | | | | | | | | | incorrect ... | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2022-23772 | high | 7.50 | go | 1.17.3 | fixed in 1.17.7, 1.16.14 | 90 days | < 1 hour | Rat.SetString in math/big in Go before 1.16.14 and | No | | | | | | | 90 days ago | | | 1.17.x before 1.17.7 has an overflow that can lead | | | | | | | | | | | to Uncontrolled Memory Consumption. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2021-44716 | high | 7.50 | go | 1.17.3 | fixed in 1.17.5, 1.16.12 | > 4 months | < 1 hour | net/http in Go before 1.16.12 and 1.17.x before | No | | | | | | | > 4 months ago | | | 1.17.5 allows uncontrolled memory consumption | | | | | | | | | | | in the header canonicalization cache via HTTP/2 | | | | | | | | | | | requests... | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2018-25032 | high | 7.50 | zlib | 1:1.2.11.dfsg-2 | fixed in 1:1.2.11.dfsg-2+deb11u1 | 31 days | < 1 hour | zlib before 1.2.12 allows memory corruption when | No | | | | | | | 48 days ago | | | deflating (i.e., when compressing) if the input | | | | | | | | | | | has many distant matches. | | +----------------+----------+------+---------+------------------+----------------------------------+------------+------------+----------------------------------------------------+-------------------+
Vulnerabilities found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.8: total - 11, critical - 2, high - 9, medium - 0, low - 0 Vulnerability threshold check results: PASS
Compliance found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.8: total - 0, critical - 0, high - 0, medium - 0, low - 0 Compliance threshold check results: PASS Link to the results in Console: https://app2.eu.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search=sha256%3A4fe3538bcbef4582f4a42a90b216698aeb8cfb9c701326b8a382f17a030fc4b3 -------- End on caacrsofidevuat.azurecr.io/base/nmi:v1.8.8 ---------
-------- Begin on caacrsofidevuat.azurecr.io/base/mic:v1.8.8 ---------
Scan results for: image caacrsofidevuat.azurecr.io/base/mic:v1.8.8 sha256:041c195468a086c480c63c20c6e49708b4c307e55b8b097d9780b62f7b7bd8d6 Vulnerabilities +----------------+----------+------+---------+---------+-------------------------+-----------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | TRIGGERED FAILURE | +----------------+----------+------+---------+---------+-------------------------+-----------+------------+----------------------------------------------------+-------------------+ | CVE-2022-28327 | high | 7.50 | go | 1.17.8 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | The generic P-256 feature in crypto/elliptic in | No | | | | | | | 22 days ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a | | | | | | | | | | | panic via long scalar input. | | +----------------+----------+------+---------+---------+-------------------------+-----------+------------+----------------------------------------------------+-------------------+ | CVE-2022-24675 | high | 7.50 | go | 1.17.8 | fixed in 1.18.1, 1.17.9 | 22 days | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before | No | | | | | | | 22 days ago | | | 1.18.1 has a Decode stack overflow via a large | | | | | | | | | | | amount of PEM data. | | +----------------+----------+------+---------+---------+-------------------------+-----------+------------+----------------------------------------------------+-------------------+
Vulnerabilities found for image caacrsofidevuat.azurecr.io/base/mic:v1.8.8: total - 2, critical - 0, high - 2, medium - 0, low - 0 Vulnerability threshold check results: PASS
Compliance found for image caacrsofidevuat.azurecr.io/base/mic:v1.8.8: total - 0, critical - 0, high - 0, medium - 0, low - 0 Compliance threshold check results: PASS Link to the results in Console: https://app2.eu.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search=sha256%3A041c195468a086c480c63c20c6e49708b4c307e55b8b097d9780b62f7b7bd8d6 -------- End on caacrsofidevuat.azurecr.io/base/mic:v1.8.8 ---------
Describe the bug
Steps To Reproduce : Scan with Prisma
Expected behavior : Detection of vulnerabilties
AAD Pod Identity version : nmi:v1.8.4.3 & mic:v1.8.2
Kubernetes version : 1.22
Additional context :
Scan results for: image caacrsofidevuat.azurecr.io/base/mic:v1.8.2 sha256:b014e24b99800d0f562fed5efb4e638ae8ba65fa2abe0884b36935bb1c1b769f Vulnerabilities
Vulnerabilities found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.3: total - 10, critical - 2, high - 8, medium - 0, low - 0 Vulnerability threshold check results: PASS
Compliance found for image caacrsofidevuat.azurecr.io/base/nmi:v1.8.4.3: total - 0, critical - 0, high - 0, medium - 0, low - 0 Compliance threshold check results: PASS Link to the results in Console: https://app2.eu.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search=sha256%3Aea7c1ca3c5ce8df2410676d14f2154e8ddad7ec6d2344c559aefbdcd4e074fd8