CVE reported with distroless-iptables images

kubernetes / release

Release infrastructure for Kubernetes and related components

Apache License 2.0

485 stars 503 forks source link

CVE reported with distroless-iptables images #3450

Closed jwtty closed 9 months ago

jwtty commented 9 months ago

What happened:

Hi, we are getting CVE notifications from images registry.k8s.io/build-image/distroless-iptables:v0.4.2 registry.k8s.io/build-image/distroless-iptables:v0.4.4

https://avd.aquasec.com/nvd/2023/cve-2023-6246/ https://avd.aquasec.com/nvd/2023/cve-2023-6779/

What you expected to happen:

New distroless-iptables images with CVEs resolved.

How to reproduce it (as minimally and precisely as possible):

Docker images with registry.k8s.io/build-image/distroless-iptables:v0.4.2 and registry.k8s.io/build-image/distroless-iptables:v0.4.4

Anything else we need to know?:

Environment:

Cloud provider or hardware configuration:
OS (e.g: cat /etc/os-release):
Kernel (e.g. uname -a):
Others:

wedaly commented 9 months ago

I also got a report about this. This is the output from trivy:

danwinship commented 9 months ago

FTR the CVE in question should not be exploitable via the kube-proxy image (since neither the iptables binaries nor the nftables binary ever invoke syslog(), and iptables-wrapper.sh likewise should not do anything that would cause anyone else to invoke syslog()).

jwtty commented 9 months ago

Are we going to publish a new image with the CVEs cleared? Thanks

cpanato commented 9 months ago

can you post the tool that you use to scan the image and also the parameters that you run?

fyi, we just rebuilt the images to update it during the go updates

cc @kubernetes/release-engineering

wedaly commented 9 months ago

@cpanato I checked it using trivy. This is the command I ran:

trivy --scanners vuln image --ignore-unfixed --severity HIGH,CRITICAL -f table registry.k8s.io/build-image/distroless-iptables:v0.4.4

xmudrii commented 9 months ago

Using the command that @wedaly provided, I can confirm that registry.k8s.io/build-image/distroless-iptables:v0.4.4 is affected by the mentioned CVEs. However, there are newer versions of that image that are not affected, concretely registry.k8s.io/build-image/distroless-iptables:v0.4.5.

What we can do is update distroless-iptables to v0.4.5 on the release branches. However, we can probably do this out of the box only for the release-1.29 branch because older branches are using much older distroless-iptables image.

@cpanato do you want to take care of this bump?

xmudrii commented 9 months ago

/priority important-soon

cpanato commented 9 months ago

for the one we just bump

$ trivy --scanners vuln image --ignore-unfixed --severity HIGH,CRITICAL -f table registry.k8s.io/build-image/distroless-iptables:v0.4.5
2024-02-08T19:35:04.454+0100    INFO    Vulnerability scanning is enabled
2024-02-08T19:35:06.552+0100    INFO    Detected OS: debian
2024-02-08T19:35:06.552+0100    INFO    Detecting Debian vulnerabilities...
2024-02-08T19:35:06.553+0100    INFO    Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.4.5 (debian 12.4)

Total: 0 (HIGH: 0, CRITICAL: 0)

it will be in k/k tomorrow

cpanato commented 9 months ago

closing