CVE-2024-34156 / go 1.22.7 update

grpc-ecosystem / grpc-health-probe

A command-line tool to perform health-checks for gRPC applications in Kubernetes and elsewhere

Apache License 2.0

1.44k stars 188 forks source link

CVE-2024-34156 / go 1.22.7 update #215

Closed CubicrootXYZ closed 2 months ago

CubicrootXYZ commented 2 months ago

Go versions below 1.22.7 / 1.23.1 are vulnerable to CVE-2024-34156 a bug in encoding/gobs Decoder.Decode. Health probe currently uses the vulnerable version 1.22.4.

Updating to the above mentioned go versions should resolve this.

ahmetb commented 2 months ago

The tool does not use this package to begin with.

mmahadikar-ns commented 2 months ago

When can we expect a fix for this?

CubicrootXYZ commented 2 months ago

The tool does not use this package to begin with.

I do understand that there is no risk to using the binary as is. Looking at the bigger picture however some vulnerability scanners are not able to distinguish that and are alerting for this. In some cases it might not be possible to silence a specific alert for a single binary creating a situation where the vulnerability needs to be ignored throughout all the checked files or the health probe binary needs to be excluded from the vulnerability scanning.

To circumvent this and to simply stay up to date I'd love to see an update to go 1.22.7 or newer.

ahmetb commented 2 months ago

Fixed in v0.4.34.