Bump helm charts sidecars versions to resolve CVEs

yash-acquia commented 3 weeks ago

/kind bug

What happened? A scan detected the following CVEs: CVE-2023-45288 CVE-2023-5528 CVE-2024-24786

What you expected to happen? Update sidecar versions in the helm chart:

livenessProbe: v2.13.0
nodeDriverRegistrar : v2.11.0
csiProvisioner: v5.0.1

updating above sidecars will fix CVE-2023-45288 and CVE-2024-24786

Vulnerability_id	Package Name	Vulnerable Version	Fixed Version	Type
CVE-2023-45288	golang.org/x/net	v0.18.0	v0.23.0	gobinary
CVE-2024-24786	google.golang.org/protobuf	v1.31.0	1.33.0	gobinary

and update the k8s.io/kubernetes version as well.

Vulnerability_id	Package Name	Vulnerable Version	Fixed Version	Type	Severity
CVE-2023-5528	k8s.io/kubernetes	v1.26.10	1.28.4, 1.27.8, 1.26.11, 1.25.16	gobinary	HIGH

Environment

Driver version: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.3
Kubernetes version (use kubectl version): v1.28.9-eks

omerap12 commented 3 weeks ago

Ill take this. /assign

mskanth972 commented 2 weeks ago

Updated the above PR with latest information and ECD June 19 was given to merge it. https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1373#issuecomment-2168078537

yash-acquia commented 2 weeks ago

Hey, just a reminder, there is CVE-2023-5528: k8s.io/kubernetes, which is a high-severity vulnerability. Please try to fix that as well; otherwise, the scan will fail. Thanks!

mskanth972 commented 3 days ago

Fixed in the latest version v2.0.5

kubernetes-sigs / aws-efs-csi-driver

Bump helm charts sidecars versions to resolve CVEs #1365