V0.16.0 upbound/provider-terraform image has CVE-2023-44487 and CVE-2023-39325

[kanchan-dhamane]

What happened?

We ran Trivy and Twistlock Scans on upbound/provider-terraform:v0.16.0 and found a few vulnerabilities. Following are the critical and high level vulnerabilities we would like to be addressed.

• CVE-2023-44487 present in golang.org/x/net:v0.7.0 and google.golang.org/grpc:v1.53.0 modules
• CVE-2023-39325 present in golang.org/x/net/http2:v0.7.0
• CVE-2024-3817 present in github.com/hashicorp/go-getter:v1.7.0

Here is the full Trivy scan report attached. tf-provider-scan.txt

How can we reproduce it?

Run the trivy scan on image

trivy image xpkg.upbound.io/upbound/provider-terraform:v0.16.0 > tf-provider-scan.txt

What environment did it happen in?

• Crossplane Version: NA
• Provider Version: v0.16.0
• Kubernetes Version: NA
• Kubernetes Distribution: NA

Notes

We did primary investigation. It seems that the version of golang.org/x/net and google.golang.org/grpc is already high enough in go.mod which does not contain these vulnerabilities, but the image seems to contain these old versions.

So one guess is the binaries are compiled with older versions.

[bobh66]

The first two CVEs are reported against the terraform binary which we don't compile, we just install the pre-compiled executable. I am investigating if we can install terraform 1.5.7 which is the latest pre-BSL version, but I don't know if that resolved the two CVEs.

The third CVE is resolved by the latest renovate PR that patches go-getter to 1.7.5.