search

kubernetes-sigs / kustomize

Customization of kubernetes YAML configurations
Apache License 2.0
11.02k stars 2.25k forks source link

Vulnerability in stdlib of Kustomize Binary #5762

Closed ilyasamraoui closed 3 weeks ago

ilyasamraoui commented 1 month ago

What happened?

After scanning a Docker image containing kustomize version 5.4.3 using Chainguard, a report indicated that the image contains a vulnerability related to CVE-2024-34156. The vulnerability was found in the stdlib component, as the current kustomize version is using stdlib version 1.21.12.

According to the report, this version of the standard library is vulnerable and should be updated to either version 1.22.7 or version 1.23.1 to address the security issue.

What did you expect to happen?

I expect to have an empty report with no vulnerabilites

How can we reproduce it (as minimally and precisely as possible)?

scan the binary using chaingard

Expected output

No response

Actual output

No response

Kustomize version

5.4.3

Operating system

Linux

k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
geekyfox90 commented 1 month ago

I encountered the same issue while scanning a Docker image with kustomize version 5.4.3 using Trivy. The scan report flagged CVE-2024-34156 due to the usage of stdlib version 1.21.12, which is vulnerable. According to the report, this version should be updated to stdlib version 1.22.7 or 1.23.1 to resolve the issue.

Could you provide an estimate of when a new version of kustomize will be released with the updated stdlib version that addresses this vulnerability? Additionally, is there any workaround or guidance you can offer in the meantime?

Thanks in advance!

koba1t commented 1 month ago

/assign @koba1t

koba1t commented 1 month ago

I believe this vulnerability is from the go version. So we need to update go.

app/kustomize (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘
koba1t commented 1 month ago

@geekyfox90

Could you provide an estimate of when a new version of kustomize will be released with the updated stdlib version that addresses this vulnerability? Additionally, is there any workaround or guidance you can offer in the meantime?

I believe we don't use encoding/gob package now, so you don't need to do anything.

koba1t commented 1 month ago

/reopen We need to create a new release.

k8s-ci-robot commented 1 month ago

@koba1t: Reopened this issue.

In response to [this](https://github.com/kubernetes-sigs/kustomize/issues/5762#issuecomment-2374971114): >/reopen >We need to create new release. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
koba1t commented 3 weeks ago

A new kustomize binary was released. https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0

/close

k8s-ci-robot commented 3 weeks ago

@koba1t: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/kustomize/issues/5762#issuecomment-2405836471): >A new kustomize binary was released. >https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0 > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.