search

jimmidyson / configmap-reload

Simple binary to trigger a reload when a Kubernetes ConfigMap is updated
Apache License 2.0
983 stars 193 forks source link

Critical vulnerability impacting configmap-reload #69

Closed dugalp closed 2 years ago

dugalp commented 2 years ago

Hi,

We are an enterprise using configmap-reload and found there is a critical vulnerability impacting the latest version available, CVE-2021-38297.

It impacts the following versions of go which may be used by configmap-reload: go:1.15.7 go:1.15.1 go:1.13.6 go:1.16.7 go:1.17.1 go:1.16.1 go:1.16.5

It is fixed in fixed in 1.17.2, 1.16.9.

Is there a possibility to point us to a fixed version if it exists, or help create a new version that includes a fix for the image?

Thank you,

jimmidyson commented 2 years ago

Thanks for the report! This doesn't affect v0.6.1 at least as it is built with go 1.17.5 - see https://app.circleci.com/pipelines/github/jimmidyson/configmap-reload/52/workflows/70bd2d51-4466-4c25-a01e-0f46f25027de/jobs/370?invite=true#step-0-15 using golang@sha256:eb61213fe612b6af346cab13c2b81f1b8113f9ccf23a5ca6b54fede8ffd63bc7 which is go 1.17.5:

$ docker run --rm golang@sha256:eb61213fe612b6af346cab13c2b81f1b8113f9ccf23a5ca6b54fede8ffd63bc7 go version

go version go1.17.5 linux/amd64
dugalp commented 2 years ago

Thank you Jimmi, for the informative and prompt response.

Can you check and confirm if the critical CVE here: CVE-2021-42377 (https://nvd.nist.gov/vuln/detail/CVE-2021-42377)

… would be relevant for your configmap-reload project?

It seems to be a rare thing or irrelevant to your project but good to check with you.

Thank you!

jimmidyson commented 2 years ago

I haven't looked into the vulnerabilities in detail but note that they affect busybox 1.33.x. our latest release v0.7.0 is built on busybox 1.34 so is not affected.

rammahapatra-qlik commented 2 years ago

@jimmidyson https://github.com/jimmidyson/configmap-reload/blob/0eab74404b717a8b59ca06fb6b3631ac2bba5a8a/Makefile#L39-L43

In the version v0.7 makefile busybox:1.33.x is there. Could you please check and look into this.

jimmidyson commented 2 years ago

:facepalm: Sorry, my mistake - I renamed master to main and lost a commit along the way... I've just tagged v0.7.1 which includes the fix - https://github.com/jimmidyson/configmap-reload/commit/8dea60c0015a97425d16ac170a6084a016262228 - images will be available soon.