search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
5.71k stars 1.27k forks source link

Fix cve-2023-5528 in release 3.26 #8974

Open paulgmiller opened 5 days ago

paulgmiller commented 5 days ago

trivy image --ignore-unfixed --severity=HIGH,CRITICAL docker.io/calico/node:v3.26.4 (Also same for mcr.microsoft.com/oss/calico/node:v3.26.4-c06a60 which is a slightly later commit)

┌───────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                         Title                          │
├───────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2023-5528 │ HIGH     │ fixed  │ v1.26.8           │ 1.28.4, 1.27.8, 1.26.11, 1.25.16 │ kubernetes: Insufficient input sanitization in in-tree │
│                   │               │          │        │                   │                                  │ storage plugin leads to privilege escalation...        │
│                   │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-5528              │
└───────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴────────────────────────────────────────────────────────┘

Expected Behavior

No critical cves in supported releases.

Current Behavior

k8s.io/kubernetes exposes cve https://avd.aquasec.com/nvd/2023/cve-2023-5528/

Possible Solution

Should be fixable with a go mod upgrade to 1.26.11 (can try and make a pr)

Steps to Reproduce (for bugs)

See trivy link at top

Context

AKS still deploys 3.26 calico (and will for a while) so custoemrs are concerned.

Your Environment

paulgmiller commented 5 days ago

https://github.com/projectcalico/calico/pull/8975 is my naive attempt to address.

paulgmiller commented 5 days ago

Found another CVE in 3.26 with a newer version of trivy so also attached a pr for that

sridhartigera commented 4 days ago

@Behnam-Shobiri Thoughts on this?

Behnam-Shobiri commented 4 days ago

Since 3.26 is out of support, we do not track the CVEs. We encourage everyone to stay on the latest 2 minor versions (the latest patch of them).