kube-bench
kube-bench copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
Vulnerabilities CVE-2024-9143 and CVE-2024-34155(6,8) were found in Kube-Bench images
trafficstars
There are some vulnerabilities in kube-bench image:
$ tar zxf kube-bench_0.9.1_linux_amd64.tar.gz
$ go version ./kube-bench
./kube-bench: go1.22.7
$ trivy version
Version: 0.56.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-10-24 00:22:57.860059738 +0000 UTC
NextUpdate: 2024-10-25 00:22:57.860059598 +0000 UTC
DownloadedAt: 2024-10-24 01:55:38.655455 +0000 UTC
$ trivy image --scanners vuln docker.io/aquasec/kube-bench:v0.9.1
2024-10-24T10:36:30+08:00 INFO [vuln] Vulnerability scanning is enabled
2024-10-24T10:36:34+08:00 INFO Detected OS family="alpine" version="3.20.3"
2024-10-24T10:36:34+08:00 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=26
2024-10-24T10:36:34+08:00 INFO Number of language-specific files num=2
2024-10-24T10:36:34+08:00 INFO [gobinary] Detecting vulnerabilities...
2024-10-24T10:36:34+08:00 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.
docker.io/aquasec/kube-bench:v0.9.1 (alpine 3.20.3)
Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-9143 │ LOW │ fixed │ 3.3.2-r0 │ 3.3.2-r1 │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│ │ │ │ │ │ │ memory access │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-9143 │
├────────────┤ │ │ │ │ │ │
│ libssl3 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────┤ │ │ │ │ │ │
│ openssl │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
usr/local/bin/kubectl (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-34156 │ HIGH │ fixed │ 1.22.5 │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┼──────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ MEDIUM │ │ │ │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
Originally posted by @mozillazg in https://github.com/aquasecurity/kube-bench/issues/1710#issuecomment-2434119579
