search

kubernetes-csi / external-snapshotter

Sidecar container that watches Kubernetes Snapshot CRD objects and triggers CreateSnapshot/DeleteSnapshot against a CSI endpoint.
Apache License 2.0
502 stars 375 forks source link

Patch Required for Security Issue in Kubernetes CSI Snapshotter v8.0.1 (CVE-2024-24790) #1127

Open arokade-px opened 3 months ago

arokade-px commented 3 months ago

Component: Kubernetes CSI Snapshotter

Version: v8.0.1

Image: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Detected by: Aqua Security Trivy

Description:

I have tested the vulnerabilities for the image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 using the Aqua Security Trivy scanner. The results indicate several vulnerabilities in the Go binary used within the image.

Steps to produce the issue:

trivy --scanners vuln image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Github link for Trivy, https://github.com/aquasecurity/trivy

Trivy Scan Results:

Library Vulnerability Severity Status Installed Version Fixed Version Title
google.golang.org/grpc GHSA-xr7q-jx4m-x55m LOW fixed v1.64.0 1.64.1 Private tokens could appear in logs if context containing gRPC metadata is...
GHSA-xr7q-jx4m-x55m
stdlib CVE-2024-24790 CRITICAL 1.22.3 1.21.11, 1.22.4 golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
CVE-2024-24790
stdlib CVE-2024-24789 MEDIUM golang: archive/zip: Incorrect handling of certain ZIP files
CVE-2024-24789
stdlib CVE-2024-24791 MEDIUM 1.21.12, 1.22.5 net/http: Denial of service due to improper 100-continue handling in net/http
CVE-2024-24791

Details:

  1. Private Tokens in Logs:

    • Library: google.golang.org/grpc
    • Vulnerability: GHSA-xr7q-jx4m-x55m
    • Severity: LOW
    • Description: There is a risk of private tokens appearing in logs if the context containing gRPC metadata is improperly handled.
    • Fixed Version: 1.64.1
    • Advisory: GHSA-xr7q-jx4m-x55m

  2. Unexpected Behavior from Is Methods for IPv4-mapped IPv6 Addresses:

    • Library: stdlib
    • Vulnerability: CVE-2024-24790
    • Severity: CRITICAL
    • Description: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in the net/netip package, leading to potential security risks.
    • Fixed Version: 1.21.11, 1.22.4
    • Advisory: CVE-2024-24790

  3. Incorrect Handling of Certain ZIP Files:

    • Library: stdlib
    • Vulnerability: CVE-2024-24789
    • Severity: MEDIUM
    • Description: The archive/zip package in Go has incorrect handling of certain ZIP files, which can lead to security vulnerabilities.
    • Advisory: CVE-2024-24789

  4. Denial of Service Due to Improper 100-Continue Handling:

    • Library: stdlib
    • Vulnerability: CVE-2024-24791
    • Severity: MEDIUM
    • Description: A denial-of-service vulnerability in the net/http package due to improper handling of the 100-continue response.
    • Fixed Version: 1.21.12, 1.22.5
    • Advisory: CVE-2024-24791

Impact:

These vulnerabilities could potentially affect the security and stability of applications using the csi-snapshotter component, especially the CRITICAL vulnerability in stdlib that can lead to unexpected behaviors or denial of service.

Recommendations:

References:

arokade-px commented 3 months ago

Any update on this?

k8s-triage-robot commented 3 weeks ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale