search

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets
https://sealed-secrets.netlify.app/
Apache License 2.0
7.4k stars 671 forks source link

Address vulnerability CVE-2022-27191 in the latest image of the Controller #830

Closed agarcia-oss closed 2 years ago

agarcia-oss commented 2 years ago

Which component: sealed-secrets-controller v0.17.5

Describe the bug Trivy scan detects the occurrence of the CVE-2022-27191 vulnerability in the latest image of the controller:

To Reproduce Steps to reproduce the behaviour:

$ trivy image  bitnami/sealed-secrets-controller:v0.17.5
bitnami/sealed-secrets-controller:v0.17.5 (debian 11.3)
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/controller (gobinary)
===================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20211215153901-e495a2d5b3d3 | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

Expected behaviour Analize the vulnerability and decide on how to address it. (Update the dependencies if needed).

mkmik commented 2 years ago

Fwiw the only functionality we use from golang.org/x/crypto/ssh is the function that computes a RSA pub key fingerprint.

The price to pay for automated dependency scanners is a lot of false positives.

That said, keeping these deps up to date (possibly by bots) as to silence automated security scanners is a good idea.

agarcia-oss commented 2 years ago

Indeed, this task only needs to evaluate the trade-off of updating that dependency. If by doing that we just manage to keep our dependencies up to date and avoid false positives scanning results on third parties, all the better.

mkmik commented 2 years ago

Yeah, keeping the dependencies up-to-date by default "no-questions-asked" as long as tests pass, is a winning strategy. Evaluating the trade-off for every update is strategy that doesn't scale.