search

kiwigrid / k8s-sidecar

This is a docker container intended to run inside a kubernetes cluster to collect config maps with a specified label and store the included files in a local folder.
MIT License
580 stars 181 forks source link

Vulnerabilities for 1.27.4 #352

Closed tunguyen9889 closed 1 month ago

tunguyen9889 commented 3 months ago

kiwigrid/k8s-sidecar:1.27.4 has following vulnerabilities: CVE-2023-42364, CVE-2023-42365, CVE-2024-4741 and CVE-2024-37891. Could you please help patch and release new version?

Thanks in advanced!

➜  ~ docker run --platform linux/amd64 --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --format table --no-progress --exit-code 0 --offline-scan --timeout 15m kiwigrid/k8s-sidecar:1.27.4
kiwigrid/k8s-sidecar:1.27.4 (alpine 3.20.0)
===========================================
Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 8, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                     │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42364 │ MEDIUM   │ fixed  │ 1.36.1-r28        │ 1.36.1-r29    │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364    │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365    │
├───────────────┼────────────────┤          │        │                   │               ├───────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364    │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365    │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-4741  │          │        │ 3.3.0-r2          │ 3.3.0-r3      │ openssl: Use After Free with SSL_free_buffers │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741     │
├───────────────┤                │          │        │                   │               │                                               │
│ libssl3       │                │          │        │                   │               │                                               │
│               │                │          │        │                   │               │                                               │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42364 │          │        │ 1.36.1-r28        │ 1.36.1-r29    │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364    │
│               ├────────────────┤          │        │                   │               ├───────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                       │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365    │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘
2024-06-27T18:13:09Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)
===================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (METADATA) │ CVE-2024-37891 │ MEDIUM   │ fixed  │ 2.2.1             │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│                    │                │          │        │                   │                │ during cross-origin redirects                               │
│                    │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-37891                  │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
tunguyen9889 commented 3 months ago

Hi @ChristianGeie, could you help check this issue, please?

KemoDesignz commented 3 months ago

Figured I would also add this here,

Vulnerability in 1.27.4

Certifi was patched last week to remove GLOBALTRUST certificate. Seems like this is a dep for this project?

https://nvd.nist.gov/vuln/detail/CVE-2024-39689

Anchore found

CVE-2024-39689 | High | certifi-2024.07.04 | python | cdn.harbor.com/ext.quay.io/kiwigrid/k8s-sidecar:1.27.4 -- | -- | -- | -- | --
tunguyen9889 commented 3 months ago

Yes, I just re-ran the Trivy scan today and saw the CVE-2024-39689 as well:

kiwigrid/k8s-sidecar:1.27.4 (alpine 3.20.0)
===========================================
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                      │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42364 │ MEDIUM   │ fixed  │ 1.36.1-r28        │ 1.36.1-r29    │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364     │
│               ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365     │
├───────────────┼────────────────┤          │        │                   │               ├────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2023-42364 │          │        │                   │               │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364     │
│               ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365     │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-4741  │          │        │ 3.3.0-r2          │ 3.3.0-r3      │ openssl: Use After Free with SSL_free_buffers  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741      │
│               ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────┤
│               │ CVE-2024-5535  │          │        │                   │ 3.3.1-r1      │ openssl: SSL_select_next_proto buffer overread │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-5535      │
├───────────────┼────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────┤
│ libssl3       │ CVE-2024-4741  │          │        │                   │ 3.3.0-r3      │ openssl: Use After Free with SSL_free_buffers  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741      │
│               ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────┤
│               │ CVE-2024-5535  │          │        │                   │ 3.3.1-r1      │ openssl: SSL_select_next_proto buffer overread │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-5535      │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42364 │          │        │ 1.36.1-r28        │ 1.36.1-r29    │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42364     │
│               ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────┤
│               │ CVE-2023-42365 │          │        │                   │               │ busybox: use-after-free                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42365     │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────┘
2024-07-11T17:39:43Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)
===================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ certifi (METADATA) │ CVE-2024-39689 │ LOW      │ fixed  │ 2024.6.2          │ 2024.07.04     │ python-certifi: Remove root certificates from `GLOBALTRUST` │
│                    │                │          │        │                   │                │ from the root store                                         │
│                    │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-39689                  │
├────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (METADATA) │ CVE-2024-37891 │ MEDIUM   │        │ 2.2.1             │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│                    │                │          │        │                   │                │ during cross-origin redirects                               │
│                    │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-37891                  │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘