search

kubernetes / release

Release infrastructure for Kubernetes and related components
Apache License 2.0
485 stars 502 forks source link

CVE-2024-2961 in `registry.k8s.io/build-image/distroless-iptables:v0.5.3` #3593

Closed aramase closed 5 months ago

aramase commented 6 months ago

What happened:

CVE in registry.k8s.io/build-image/distroless-iptables:v0.5.3 image

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.3
2024-04-30T15:09:32.487-0700    INFO    Vulnerability scanning is enabled
2024-04-30T15:09:32.488-0700    INFO    Secret scanning is enabled
2024-04-30T15:09:32.488-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-30T15:09:32.488-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-04-30T15:09:33.787-0700    INFO    Detected OS: debian
2024-04-30T15:09:33.788-0700    INFO    Detecting Debian vulnerabilities...
2024-04-30T15:09:33.799-0700    INFO    Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.5.3 (debian 12.5)

Total: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                         Title                          │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2024-2961 │ HIGH     │ fixed  │ 2.36-9+deb12u4    │ 2.36-9+deb12u6 │ glibc: Out of bounds write in iconv may lead to remote │
│         │               │          │        │                   │                │ code...                                                │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-2961              │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────┘

What you expected to happen:

New distroless-iptables images with CVEs resolved.

jwtty commented 6 months ago

+1 thanks

saschagrunert commented 6 months ago

I assume we're updating the image as part of https://github.com/kubernetes/release/issues/3597 anyways, right @cpanato ?

cpanato commented 6 months ago

yes, will bump together with the upcoming go updates

cpanato commented 6 months ago

/assign

aramase commented 5 months ago

v0.5.4 has been published and has no CVEs. Thanks @cpanato!

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.4
2024-06-04T11:00:22.888-0700    INFO    Need to update DB
2024-06-04T11:00:22.888-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-06-04T11:00:22.888-0700    INFO    Downloading DB...
47.72 MiB / 47.72 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.13 MiB p/s 3.0s
2024-06-04T11:00:27.195-0700    INFO    Vulnerability scanning is enabled
2024-06-04T11:00:27.196-0700    INFO    Secret scanning is enabled
2024-06-04T11:00:27.196-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T11:00:27.196-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T11:00:30.690-0700    INFO    Detected OS: debian
2024-06-04T11:00:30.690-0700    INFO    Detecting Debian vulnerabilities...
2024-06-04T11:00:30.701-0700    INFO    Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.5.4 (debian 12.5)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

/close

k8s-ci-robot commented 5 months ago

@aramase: Closing this issue.

In response to [this](https://github.com/kubernetes/release/issues/3593#issuecomment-2148107961): >`v0.5.4` has been published and has no CVEs. Thanks @cpanato! > >```bash >➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.4 >2024-06-04T11:00:22.888-0700 INFO Need to update DB >2024-06-04T11:00:22.888-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db >2024-06-04T11:00:22.888-0700 INFO Downloading DB... >47.72 MiB / 47.72 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.13 MiB p/s 3.0s >2024-06-04T11:00:27.195-0700 INFO Vulnerability scanning is enabled >2024-06-04T11:00:27.196-0700 INFO Secret scanning is enabled >2024-06-04T11:00:27.196-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning >2024-06-04T11:00:27.196-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection >2024-06-04T11:00:30.690-0700 INFO Detected OS: debian >2024-06-04T11:00:30.690-0700 INFO Detecting Debian vulnerabilities... >2024-06-04T11:00:30.701-0700 INFO Number of language-specific files: 0 > >registry.k8s.io/build-image/distroless-iptables:v0.5.4 (debian 12.5) > >Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) >``` > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.