Patch Required for Security Issue in Kubernetes CSI Snapshotter v8.0.1 (CVE-2024-24790)

[arokade-px]

Component: Kubernetes CSI Snapshotter

Version: v8.0.1

Image: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Detected by: Aqua Security Trivy

Description:

I have tested the vulnerabilities for the image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1 using the Aqua Security Trivy scanner. The results indicate several vulnerabilities in the Go binary used within the image.

Steps to produce the issue:

trivy --scanners vuln image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1

Github link for Trivy, https://github.com/aquasecurity/trivy

Trivy Scan Results:

• Operating System:

  • OS Family: Debian
  • Version: 12.5
  • Number of Packages Scanned: 3

• Go Binary Vulnerabilities:

  • Total Vulnerabilities Detected: 4
    • LOW: 1
    • MEDIUM: 2
    • HIGH: 0
    • CRITICAL: 1

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
google.golang.org/grpc	GHSA-xr7q-jx4m-x55m	LOW	fixed	v1.64.0	1.64.1	Private tokens could appear in logs if context containing gRPC metadata is...
						GHSA-xr7q-jx4m-x55m
stdlib	CVE-2024-24790	CRITICAL		1.22.3	1.21.11, 1.22.4	golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
						CVE-2024-24790
stdlib	CVE-2024-24789	MEDIUM				golang: archive/zip: Incorrect handling of certain ZIP files
						CVE-2024-24789
stdlib	CVE-2024-24791	MEDIUM			1.21.12, 1.22.5	net/http: Denial of service due to improper 100-continue handling in net/http
						CVE-2024-24791

Details:

1. Private Tokens in Logs:

   • Library: google.golang.org/grpc
   • Vulnerability: GHSA-xr7q-jx4m-x55m
   • Severity: LOW
   • Description: There is a risk of private tokens appearing in logs if the context containing gRPC metadata is improperly handled.
   • Fixed Version: 1.64.1
   • Advisory: GHSA-xr7q-jx4m-x55m

2. Unexpected Behavior from Is Methods for IPv4-mapped IPv6 Addresses:

   • Library: stdlib
   • Vulnerability: CVE-2024-24790
   • Severity: CRITICAL
   • Description: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in the net/netip package, leading to potential security risks.
   • Fixed Version: 1.21.11, 1.22.4
   • Advisory: CVE-2024-24790

3. Incorrect Handling of Certain ZIP Files:

   • Library: stdlib
   • Vulnerability: CVE-2024-24789
   • Severity: MEDIUM
   • Description: The archive/zip package in Go has incorrect handling of certain ZIP files, which can lead to security vulnerabilities.
   • Advisory: CVE-2024-24789

4. Denial of Service Due to Improper 100-Continue Handling:

   • Library: stdlib
   • Vulnerability: CVE-2024-24791
   • Severity: MEDIUM
   • Description: A denial-of-service vulnerability in the net/http package due to improper handling of the 100-continue response.
   • Fixed Version: 1.21.12, 1.22.5
   • Advisory: CVE-2024-24791

Impact:

These vulnerabilities could potentially affect the security and stability of applications using the csi-snapshotter component, especially the CRITICAL vulnerability in stdlib that can lead to unexpected behaviors or denial of service.

Recommendations:

• Update the Go binary to a version that includes the fixes for the vulnerabilities listed above.
• Consider the severity of each vulnerability and prioritize the fixes based on your environment and use cases.

References:

• Aqua Security Trivy Documentation
• Kubernetes CSI External Snapshotter Releases
• Go Vulnerability Database

[arokade-px]

Any update on this?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.