Vulnerabilities reported while scanning v2.4.6 and v2.4.7 images

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers

https://kubernetes-sigs.github.io/aws-load-balancer-controller/

Apache License 2.0

3.93k stars 1.46k forks source link

Vulnerabilities reported while scanning v2.4.6 and v2.4.7 images #3100

Closed kadirtaskiran closed 1 year ago

kadirtaskiran commented 1 year ago

Describe the bug While scanning the v2.4.6 and v2.4.7 docker images of alb ingress controller we see following vulnerabilities.

Screen Shot 2023-03-10 at 18 23 21

Steps to reproduce Scan the image for vulnerabilities

Expected outcome No vulnerabilities

Environment

AWS Load Balancer controller version v2.4.6 and v2.4.7
Kubernetes version 1.24.9
Using EKS (yes/no), if so version? Yes

Additional Context:

Can someone please help me on how avoid this vulnerabilities Thanks, Kadir

oliviassss commented 1 year ago

@kadirtaskiran for the ca-certificate vuln in v2.4.6 we recognized it from our internal scanning and fixed it in v2.4.7. We will continue to address the vulns for future release.

kishorj commented 1 year ago

I've updated the module dependencies in PR #3114 to fix the CVE.

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

oliviassss commented 1 year ago

Closing the issue as the Vulns have been addressed.