kube-rbac-proxy icon indicating copy to clipboard operation
kube-rbac-proxy copied to clipboard

Published 20 hours ago verified publisher icon brancz

CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0

Open nirav-radia-sp opened this issue 1 year ago • 6 comments

18:58:19 + python /app/cs_imagescan.py --repo <ECR_REPO>/mirror/quay.io/brancz/kube-rbac-proxy --skip-push --tag v0.16.0 -c us-2 18:58:19 INFO Downloading Image Scan Report 18:58:30 INFO Searching for vulnerabilities in scan report... 18:58:30 WARNING HIGH CVE-2023-47108 Vulnerability detected affecting go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 18:58:30 INFO Searching for leaked secrets in scan report... 18:58:30 INFO Searching for malware in scan report... 18:58:30 INFO Searching for misconfigurations in scan report... 18:58:30 ERROR Exiting: Vulnerability score threshold exceeded: '500' out of '500'

We're seeing above vulnerability in the latest (v0.16.0) version of the kube-rbac-proxy. What is the mitigation timeline for fixing this?

nirav-radia-sp avatar Feb 28 '24 10:02 nirav-radia-sp

I encounter the same issue and committed a pr , but no one reply me https://github.com/brancz/kube-rbac-proxy/pull/282

changluyi avatar Mar 04 '24 03:03 changluyi

Hi,

I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.

I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).

https://github.com/kubernetes/kubernetes/pull/121338#issue-1950840866

ibihim avatar Mar 18 '24 13:03 ibihim

@changluyi, your PRs are not working.

It would be nice if you could at least check if it builds.

ibihim avatar Mar 18 '24 13:03 ibihim

Should be fixed with https://github.com/brancz/kube-rbac-proxy/pull/287

ibihim avatar Mar 25 '24 13:03 ibihim

Should be fixed with #287

@ibihim The CVE is pointing to otelgrpc v0.42.0 as the source of vulnerability. But we have not updated that reference in above PR. Curious how is that fixing the said issue?

nirav-radia-sp avatar Mar 26 '24 08:03 nirav-radia-sp

Does it not? I assumed that k8s fixed it in v1.29

https://github.com/kubernetes/kubernetes/blob/master/go.mod#L68

Curious why upstream doesn't fix it...

... Anyway, I will try to bump it then by hand. It is not easy to bump the telemetry stuff. It looks like their dependencies are a "Kuddelmuddel", we would say in Germany. A mess. And it doesn't effect krp.

ibihim avatar Apr 04 '24 09:04 ibihim

Should be fixed. If not, please reopen. #298

ibihim avatar Jun 05 '24 08:06 ibihim