squeed
commented
1 year ago While we do build with go1.19, and we will cut a release soon, the cni plugins make no HTTP/2 network requests, and thus are not affected by this vulnerability.
Closed gaborho closed 1 year ago
squeed
commented
1 year ago While we do build with go1.19, and we will cut a release soon, the cni plugins make no HTTP/2 network requests, and thus are not affected by this vulnerability.
Our cloud security platform discovered "Denial Of Service vulnerability discovered in Golang. (https://github.com/advisories/GHSA-69cg-p879-7622)" in our Bottlerocket OS based EKS worker nodes, which is using amazon-vpc-cni-k8s plugin. Further analysis showed that some plugins are pulled in from this upstream project, and I was asked to report here the issue as well. Please take a look on this issue and on this comment, and do the necessary action (I assume to build with 1.19 Go SDK) the plugins in order to fix the vulnerability.