Latest version of neuron-device-plugin (2.19.16.0) contains known security vulnerabilities

WestonReed commented 3 months ago

Hello, I am unsure if this is the right place to report this, but there are some known high & medium vulnerabilities in the latest publicly available build of the neuron-device-plugin container found here.

Here is the command you may use to reproduce this:

trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln public.ecr.aws/neuron/neuron-device-plugin:2.19.16.0
2024-03-15T17:05:54.800-0700    INFO    Need to update DB
2024-03-15T17:05:54.800-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-03-15T17:05:54.800-0700    INFO    Downloading DB...
44.32 MiB / 44.32 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 19.14 MiB p/s 2.5s
2024-03-15T17:05:58.617-0700    INFO    Vulnerability scanning is enabled
2024-03-15T17:06:06.619-0700    INFO    Detected OS: amazon
2024-03-15T17:06:06.619-0700    INFO    Detecting Amazon Linux vulnerabilities...
2024-03-15T17:06:06.627-0700    INFO    Number of language-specific files: 1
2024-03-15T17:06:06.627-0700    INFO    Detecting gobinary vulnerabilities...

public.ecr.aws/neuron/neuron-device-plugin:2.19.16.0 (amazon 2 (Karoo))

Total: 8 (LOW: 1, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬──────────────────────────┬──────────────────────────┬────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │    Installed Version     │      Fixed Version       │                           Title                            │
├────────────────────┼────────────────┼──────────┼────────┼──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────┤
│ cpio               │ CVE-2015-1197  │ HIGH     │ fixed  │ 2.12-11.amzn2            │ 2.12-11.amzn2.0.1        │ directory traversal through symlinks                       │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2015-1197                  │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────┤
│ glib2              │ CVE-2021-28153 │ LOW      │        │ 2.56.1-9.amzn2.0.6       │ 2.56.1-9.amzn2.0.7       │ glib: g_file_replace() with                                │
│                    │                │          │        │                          │                          │ G_FILE_CREATE_REPLACE_DESTINATION creates empty target for │
│                    │                │          │        │                          │                          │ dangling symlink                                           │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2021-28153                 │
├────────────────────┼────────────────┼──────────┤        ├──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────┤
│ ncurses            │ CVE-2023-45918 │ MEDIUM   │        │ 6.0-8.20170212.amzn2.1.7 │ 6.0-8.20170212.amzn2.1.8 │ ncurses 6.4-20230610 has a NULL pointer dereference in     │
│                    │                │          │        │                          │                          │ tgetstr in tinf ......                                     │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-45918                 │
├────────────────────┤                │          │        │                          │                          │                                                            │
│ ncurses-base       │                │          │        │                          │                          │                                                            │
│                    │                │          │        │                          │                          │                                                            │
│                    │                │          │        │                          │                          │                                                            │
├────────────────────┤                │          │        │                          │                          │                                                            │
│ ncurses-libs       │                │          │        │                          │                          │                                                            │
│                    │                │          │        │                          │                          │                                                            │
│                    │                │          │        │                          │                          │                                                            │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────┤
│ nss-softokn        │ CVE-2023-6135  │          │        │ 3.90.0-6.amzn2.0.1       │ 3.90.0-6.amzn2.0.2       │ nss: vulnerable to Minerva side-channel information leak   │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2023-6135                  │
├────────────────────┤                │          │        │                          │                          │                                                            │
│ nss-softokn-freebl │                │          │        │                          │                          │                                                            │
│                    │                │          │        │                          │                          │                                                            │
├────────────────────┼────────────────┤          │        ├──────────────────────────┼──────────────────────────┼────────────────────────────────────────────────────────────┤
│ openssl-libs       │ CVE-2024-0727  │          │        │ 1:1.0.2k-24.amzn2.0.11   │ 1:1.0.2k-24.amzn2.0.12   │ openssl: denial of service via null dereference            │
│                    │                │          │        │                          │                          │ https://avd.aquasec.com/nvd/cve-2024-0727                  │
└────────────────────┴────────────────┴──────────┴────────┴──────────────────────────┴──────────────────────────┴────────────────────────────────────────────────────────────┘

usr/bin/k8s-neuron-device-plugin (gobinary)

Total: 1 (LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM   │ fixed  │ v1.31.0           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                │          │        │                   │               │ certain forms of...                                          │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

aws-taylor commented 3 months ago

Thanks @WestonReed,

We are addressing the issue and a fix will be present in a near release. We will update this issue with more information once released.

-Taylor

adammw commented 1 month ago

Also not mentioned by the above but /usr/bin/k8s-neuron-device-plugin is built with go1.20.4 which is susceptible to https://github.com/advisories/GHSA-4v7x-pqxf-cx7m

AWSNB commented 1 month ago

Adam,

Ack on the two issues raised. will it be ok if team reply on Tuesday US time as Monday is a public holiday ?

Sent from my iPhone

On May 27, 2024, at 9:35 AM, Adam Malcontenti-Wilson @.***> wrote:

Also not mentioned by the above but /usr/bin/k8s-neuron-device-plugin is built with go1.20.4 which is susceptible to GHSA-4v7x-pqxf-cx7mhttps://github.com/advisories/GHSA-4v7x-pqxf-cx7m

— Reply to this email directly, view it on GitHubhttps://github.com/aws-neuron/aws-neuron-sdk/issues/852#issuecomment-2132740875, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFTRWCNOAZ7ZVZAF5R4OL4TZELHYBAVCNFSM6AAAAABEY2JPGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZSG42DAOBXGU. You are receiving this because you are subscribed to this thread.Message ID: @.***>

geetasg commented 1 month ago

@adammw Thanks for reporting the issue. We are looking into fixing CVE-2023-45288 in next neuron SDK release.

aws-neuron / aws-neuron-sdk

Latest version of neuron-device-plugin (2.19.16.0) contains known security vulnerabilities #852