Update golang.org/x/net, golang.org/x/text, github.com/docker/distribution libraries in release v2.7.0 to address CVEs

[nickstapler-wk]

What should be cleaned up or changed?

These libraries need to be updated to remove vulnerabilities:

• github.com/emicklei/go-restful
• golang.org/x/net
• golang.org/x/text
• github.com/docker/distribution

Why is this needed?

Vulnerabilities were found in the images of release v2.7.0. Until v3.0.0 becomes stable, a v2.7.1 with cve fixes would be beneficial for FedRAMP compliance

trivy image --ignore-unfixed docker.io/kubernetesui/dashboard:v2.7.0
2023-11-02T11:30:00.823-0700    INFO    Need to update DB
2023-11-02T11:30:00.823-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-02T11:30:00.823-0700    INFO    Downloading DB...
40.54 MiB / 40.54 MiB [-----------------] 100.00% 14.61 MiB p/s 3.0s
2023-11-02T11:30:05.169-0700    INFO    Vulnerability scanning is enabled
2023-11-02T11:30:05.169-0700    INFO    Secret scanning is enabled
2023-11-02T11:30:05.169-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-02T11:30:05.169-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-02T11:30:05.191-0700    INFO    Number of language-specific files: 1
2023-11-02T11:30:05.191-0700    INFO    Detecting gobinary vulnerabilities...

dashboard (gobinary)
====================
Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │         Installed Version          │            Fixed Version            │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/distribution │ CVE-2023-2253  │ HIGH     │ fixed  │ v2.8.1+incompatible                │ 2.8.2-beta.1                        │ DoS from malicious API request                               │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-2253                    │
├────────────────────────────────┼────────────────┤          │        ├────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net               │ CVE-2022-27664 │          │        │ v0.0.0-20220722155237-a158d28d115b │ 0.0.0-20220906165146-f3363e06e74c   │ handle server errors after sending GOAWAY                    │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-41721 │          │        │                                    │ 0.1.1-0.20221104162952-702349b0e862 │ request smuggling                                            │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-41723 │          │        │                                    │ 0.7.0                               │ avoid quadratic complexity in HPACK decoding                 │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41723                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-39325 │          │        │                                    │ 0.17.0                              │ rapid stream resets can cause excessive work                 │
│                                │                │          │        │                                    │                                     │ (CVE-2023-44487)                                             │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                ├────────────────┼──────────┤        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-3978  │ MEDIUM   │        │                                    │ 0.13.0                              │ Cross site scripting                                         │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-44487 │          │        │                                    │ 0.17.0                              │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                │                │          │        │                                    │                                     │ attack (Rapid...                                             │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├────────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text              │ CVE-2022-32149 │ HIGH     │        │ v0.3.7                             │ 0.3.8                               │ ParseAcceptLanguage takes a long time to parse complex tags  │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└────────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

trivy image --ignore-unfixed docker.io/kubernetesui/metrics-scraper:v1.0.9
2023-11-02T11:38:14.090-0700    INFO    Vulnerability scanning is enabled
2023-11-02T11:38:14.090-0700    INFO    Secret scanning is enabled
2023-11-02T11:38:14.090-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-02T11:38:14.090-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-02T11:38:14.099-0700    INFO    Number of language-specific files: 1
2023-11-02T11:38:14.099-0700    INFO    Detecting gobinary vulnerabilities...

metrics-sidecar (gobinary)
==========================
Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 5, CRITICAL: 1)

┌────────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │         Installed Version          │            Fixed Version            │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996  │ CRITICAL │ fixed  │ v2.15.0+incompatible               │ 2.16.0                              │ Authorization Bypass Through User-Controlled Key             │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
├────────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net               │ CVE-2022-27664 │ HIGH     │        │ v0.0.0-20220524220425-1d687d428aca │ 0.0.0-20220906165146-f3363e06e74c   │ handle server errors after sending GOAWAY                    │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-41721 │          │        │                                    │ 0.1.1-0.20221104162952-702349b0e862 │ request smuggling                                            │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-41723 │          │        │                                    │ 0.7.0                               │ avoid quadratic complexity in HPACK decoding                 │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-41723                   │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-39325 │          │        │                                    │ 0.17.0                              │ rapid stream resets can cause excessive work                 │
│                                │                │          │        │                                    │                                     │ (CVE-2023-44487)                                             │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                ├────────────────┼──────────┤        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-3978  │ MEDIUM   │        │                                    │ 0.13.0                              │ Cross site scripting                                         │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                ├────────────────┤          │        │                                    ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-44487 │          │        │                                    │ 0.17.0                              │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                                │                │          │        │                                    │                                     │ attack (Rapid...                                             │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├────────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text              │ CVE-2022-32149 │ HIGH     │        │ v0.3.7                             │ 0.3.8                               │ ParseAcceptLanguage takes a long time to parse complex tags  │
│                                │                │          │        │                                    │                                     │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└────────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[rlevytskyi]

Hi All! Any chance Dashboards will be updated with recent Go libraries?