search

kubernetes / release

Release infrastructure for Kubernetes and related components
Apache License 2.0
484 stars 499 forks source link

CVE-2024-4603, CVE-2024-4741 in `registry.k8s.io/build-image/distroless-iptables:v0.6.2` #3740

Open aramase opened 1 week ago

aramase commented 1 week ago

What happened:

CVE in registry.k8s.io/build-image/distroless-iptables:v0.6.2 image

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.6.2       
2024-09-02T23:44:36.552-0700    INFO    Need to update DB
2024-09-02T23:44:36.553-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-09-02T23:44:36.553-0700    INFO    Downloading DB...
52.71 MiB / 52.71 MiB [-----------------------------------------------------------------------------------------------------] 100.00% 20.13 MiB p/s 2.8s
2024-09-02T23:44:40.496-0700    INFO    Vulnerability scanning is enabled
2024-09-02T23:44:40.496-0700    INFO    Secret scanning is enabled
2024-09-02T23:44:40.496-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-02T23:44:40.496-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-09-02T23:44:48.201-0700    INFO    Detected OS: debian
2024-09-02T23:44:48.201-0700    INFO    Detecting Debian vulnerabilities...
2024-09-02T23:44:48.209-0700    INFO    Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.6.2 (debian 12.6)

Total: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                        Title                        │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-4603 │ MEDIUM   │ fixed  │ 3.0.13-1~deb12u1  │ 3.0.14-1~deb12u1 │ openssl: Excessive time spent checking DSA keys and │
│         │               │          │        │                   │                  │ parameters                                          │
│         │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-4603           │
│         ├───────────────┤          │        │                   │                  ├─────────────────────────────────────────────────────┤
│         │ CVE-2024-4741 │          │        │                   │                  │ openssl: Use After Free with SSL_free_buffers       │
│         │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-4741           │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────┘

What you expected to happen:

New distroless-iptables images with CVEs resolved.

cpanato commented 1 week ago

I will rebuild that in the next cycle

/assign

jwtty commented 4 days ago

Looks like go-runner also needs update:

go-runner (gobinary)
====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-[34](https://github.com/Azure/kube-egress-gateway/actions/runs/10803240810/job/29966762466?pr=718#step:9:35)156 │ HIGH     │ fixed  │ 1.23.0           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘
BenTheElder commented 3 days ago

We don't actually use OpenSSL? Or we shouldn't be (should be go stdlib crypto)

BenTheElder commented 3 days ago

We can probably drop this from the image. I can't think why we even have it.

Something to investigate for sure ...