kube-rbac-proxy
kube-rbac-proxy copied to clipboard
brancz
CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0
Hello Team,
We are using this image: quay.io/brancz/kube-rbac-proxy:v0.15.0 and inside of this image, we have scanned out two high security vulnerabilities. Could you help fix them?
grype quay.io/brancz/kube-rbac-proxy:v0.15.0
✔ Vulnerability DB [updated]
New version of grype is available: 0.73.2 (currently running: 0.63.0)
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [95 packages]
✔ Scanning image... [6 vulnerabilities]
├── 0 critical, 4 high, 2 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 0.46.0 go-module GHSA-8pgv-569h-w5rw High
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 0.44.0 go-module GHSA-rcjv-mgp8-qvmr High
google.golang.org/grpc v1.47.0 1.56.3 go-module GHSA-m425-mq94-257g High
google.golang.org/grpc v1.47.0 1.56.3 go-module GHSA-qppj-fm5r-hxr3 Medium
trivy image quay.io/brancz/kube-rbac-proxy:v0.15.0
2023-11-17T10:13:31.134+0800 INFO Vulnerability scanning is enabled
2023-11-17T10:13:31.134+0800 INFO Secret scanning is enabled
2023-11-17T10:13:31.134+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-17T10:13:31.134+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-11-17T10:13:35.689+0800 INFO Detected OS: debian
2023-11-17T10:13:35.689+0800 INFO Detecting Debian vulnerabilities...
2023-11-17T10:13:35.690+0800 INFO Number of language-specific files: 1
2023-11-17T10:13:35.690+0800 INFO Detecting gobinary vulnerabilities...
quay.io/brancz/kube-rbac-proxy:v0.15.0 (debian 11.8)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/kube-rbac-proxy (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)
┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH │ v0.20.0 │ 0.46.0 │ otelgrpc DoS vulnerability due to unbound cardinality │
│ rg/grpc/otelgrpc │ │ │ │ │ metrics │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-47108 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ │ ├────────────────────────┼────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142 │ │ │ 0.44.0 │ opentelemetry: DoS vulnerability in otelhttp │
│ tp │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45142 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ ├───────────────────┼────────────────────────┼────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ │ v1.47.0 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │
│ ├─────────────────────┼──────────┤ ├────────────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ MEDIUM │ │ 1.58.3, 1.57.1, 1.56.3 │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────────┘
You need to upgrade go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L69 from v0.20.0 to v0.46.0 and also go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L70 from v0.20.0 to v0.44.0 and google.golang.org/grpc in https://github.com/brancz/kube-rbac-proxy/blob/master/go.mod#L91 from v1.47.0 to v1.56.3
Thanks
Jane
Thx for reporting this to us. We will create an update.
Most of the times the CVEs don't impact us directly, as we don't use those code paths.
Those are indirect dependencies. I would need to bump k8s.io, which would lead to a potential err on everyone using deprecated flags. I need to check how to resolve this.
Hm, as I am working on that, I am surprised that it claims that we have go.opentelemetry.io/contrib/instrumentation v0.20.0.
We have already a replace directive to bump it to v0.44.0. So CVE-2023-45142 shouldn't be reported. I hope your tool interprets replace directives.
The CVEs are related to the HTTP/2 issue, right? We added the capability to disable HTTP/2.
The tool: trivy or grype are open source vulnerabilities scan tools, you can install them on your machine and scan the image.
Not sure if you can upgrade the dependency according to below instructions?
thanks
Jane
With v0.16.0 only otelgrpc remained as go.mod has v0.42.0 and fix is in v0.46.0
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH │ v0.20.0 │ 0.46.0 │ otelgrpc DoS vulnerability due to unbound cardinality │ │ rg/grpc/otelgrpc
@ibihim there is still one high security vuln which needs to be fixed:
grype quay.io/brancz/kube-rbac-proxy:v0.16.0
✔ Vulnerability DB [updated]
✔ Parsed image sha256:2e4f0cff00eb27ccf559d9e80b7f4f46c673dcab0979aa1838718df415d4c1ee
✔ Cataloged packages [101 packages]
✔ Scanned for vulnerabilities [1 vulnerability matches]
├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
└── by status: 1 fixed, 0 not-fixed, 0 ignored
[0040] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 0.46.0 go-module GHSA-8pgv-569h-w5rw High
Affected code: https://github.com/brancz/kube-rbac-proxy/blob/release-0.16.0/go.mod#L72
Could you help fix it?
thanks
Jane
Hi,
I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.
I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).
It is especially annoying to fix if upstream doesn't care too: https://github.com/kubernetes/kubernetes/pull/121338#issue-1950840866
@ibihim it looks like CVE-2023-45142 reappeared in v0.17.1 as the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp version in go.mod decreased from 0.44.0 to 0.35.1
v0.17.0 with fixed version v0.17.1 downgraded to 0.35.1
