Patch Required for Security Issue in Kubernetes CSI Snapshotter v8.0.1 (CVE-2024-24790)

[arokade-px]

Component: Kubernetes CSI Snapshotter

Version: v8.0.1

Image: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Detected by: Aqua Security Trivy

Description:

I have tested the vulnerabilities for the image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 using the Aqua Security Trivy scanner. The results indicate several vulnerabilities in the Go binary used within the image.

Steps to produce the issue:

trivy --scanners vuln image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Github link for Trivy, https://github.com/aquasecurity/trivy

Trivy Scan Results:

• Operating System:

  • OS Family: Debian
  • Version: 12.5
  • Number of Packages Scanned: 3

• Go Binary Vulnerabilities:

  • Total Vulnerabilities Detected: 4
  • LOW: 1
  • MEDIUM: 2
  • HIGH: 0
  • CRITICAL: 1

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
google.golang.org/grpc	GHSA-xr7q-jx4m-x55m	LOW	fixed	v1.64.0	1.64.1	Private tokens could appear in logs if context containing gRPC metadata is...
						GHSA-xr7q-jx4m-x55m
stdlib	CVE-2024-24790	CRITICAL		1.22.3	1.21.11, 1.22.4	golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
						CVE-2024-24790
stdlib	CVE-2024-24789	MEDIUM				golang: archive/zip: Incorrect handling of certain ZIP files
						CVE-2024-24789
stdlib	CVE-2024-24791	MEDIUM			1.21.12, 1.22.5	net/http: Denial of service due to improper 100-continue handling in net/http
						CVE-2024-24791

Details:

1. Private Tokens in Logs:

   • Library: google.golang.org/grpc
   • Vulnerability: GHSA-xr7q-jx4m-x55m
   • Severity: LOW
   • Description: There is a risk of private tokens appearing in logs if the context containing gRPC metadata is improperly handled.
   • Fixed Version: 1.64.1
   • Advisory: GHSA-xr7q-jx4m-x55m

2. Unexpected Behavior from Is Methods for IPv4-mapped IPv6 Addresses:

   • Library: stdlib
   • Vulnerability: CVE-2024-24790
   • Severity: CRITICAL
   • Description: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in the net/netip package, leading to potential security risks.
   • Fixed Version: 1.21.11, 1.22.4
   • Advisory: CVE-2024-24790

3. Incorrect Handling of Certain ZIP Files:

   • Library: stdlib
   • Vulnerability: CVE-2024-24789
   • Severity: MEDIUM
   • Description: The archive/zip package in Go has incorrect handling of certain ZIP files, which can lead to security vulnerabilities.
   • Advisory: CVE-2024-24789

4. Denial of Service Due to Improper 100-Continue Handling:

   • Library: stdlib
   • Vulnerability: CVE-2024-24791
   • Severity: MEDIUM
   • Description: A denial-of-service vulnerability in the net/http package due to improper handling of the 100-continue response.
   • Fixed Version: 1.21.12, 1.22.5
   • Advisory: CVE-2024-24791

Impact:

These vulnerabilities could potentially affect the security and stability of applications using the csi-snapshotter component, especially the CRITICAL vulnerability in stdlib that can lead to unexpected behaviors or denial of service.

Recommendations:

• Update the Go binary to a version that includes the fixes for the vulnerabilities listed above.
• Consider the severity of each vulnerability and prioritize the fixes based on your environment and use cases.

References:

• Aqua Security Trivy Documentation
• Kubernetes CSI External Snapshotter Releases
• Go Vulnerability Database

[arokade-px]

Any update on this?