Vulnerabilities found in Gloo version 1.16.16

[DreyfussDaena]

Gloo Edge Product

Enterprise

Gloo Edge Version

gloo-ee 1.16.11-alpine (gloo 1.16.16)

Kubernetes Version

v1.28.6

Describe the bug

• CVE-2024-5535(BDSA-2024-4055) 9.1 from openssl 3.0.13-r0

  • solo-io-certgen-sha256-0f69bd73569fec7f1198763dcef76a0035b462f6166ca4e0aaebdff6f946832d.tar
  • solo-io-sds-ee-sha256-d18d5bc61b3eb8685cba86f4c8420ca425a0bb387a1e935c1b062db4489d2be9.tar
  • solo-io-sds-ee-sha256-d18d5bc61b3eb8685cba86f4c8420ca425a0bb387a1e935c1b062db4489d2be9.tar
  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar
  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar

• CVE-2024-24791(BDSA-2024-4102) 7.5 from golang-runtime 1.21.9

  • solo-io-certgen-sha256-0f69bd73569fec7f1198763dcef76a0035b462f6166ca4e0aaebdff6f946832d.tar
  • solo-io-sds-ee-sha256-d18d5bc61b3eb8685cba86f4c8420ca425a0bb387a1e935c1b062db4489d2be9.tar
  • solo-io-kubectl-sha256-fa7dd0185746d74ee5f1e382d576fffc37d67125d1652f5f9eb12a1a8d83070c.tar
  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar
  • solo-io-gloo-ee-sha256-770bede2f9686ad666b3e6ee04943d9db7e4f39df643478cfe1ccb1c8bbb8f06.tar

• CVE-2024-33602(BDSA-2024-2058) 8.6 from glibc2.34-r0

  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar
  • solo-io-gloo-ee-sha256-770bede2f9686ad666b3e6ee04943d9db7e4f39df643478cfe1ccb1c8bbb8f06.tar

• CVE-2024-33601(BDSA-2024-2060) 7.5 from glibc2.34-r0

  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar
  • solo-io-gloo-ee-sha256-770bede2f9686ad666b3e6ee04943d9db7e4f39df643478cfe1ccb1c8bbb8f06.tar

• CVE-2024-2961(BDSA-2024-1765) 7.3 from glibc2.34-r0

  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar
  • solo-io-gloo-ee-sha256-770bede2f9686ad666b3e6ee04943d9db7e4f39df643478cfe1ccb1c8bbb8f06.tar

• CVE-2024-2398(BDSA-2024-0743) 8.6 from curl8.5.0-r0

  • solo-io-gloo-ee-envoy-wrapper-sha256-ee3e08a4b5938a5dc7fe253293c2e51b4ebe72e511348f5a0da607527be1b2d0.tar

Expected Behavior

These vulnerabilities should be resolved asap as they are high and could cause potential security issues.

Steps to reproduce the bug

These vulnerabilities came up on a BlackDuck scan while scanning the gloo images.

Additional Environment Detail

No response

Additional Context

No response

[nfuden]

All Glibc vulnerabilites are unfixable on 1.16-alpine variants as alpine's musl to glibc linker doesnt support newer glibc.

The other one vulnerabilites should be handled in our upcoming 1.16.12 enterprise release