autoscaler
autoscaler copied to clipboard
kubernetes
cluster-autoscaler: update otelgrpc to v0.46.0 for SVM
https://nvd.nist.gov/vuln/detail/CVE-2023-47108
Which component are you using?:
cluster-autoscaler
What version of the component are you using?:
master
HIGH CVE-2023-47108 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.45.0 0.46.0 GHSA-8pgv-569h-w5rw COPY /go/autosc
updating to 0.45 works, but 0.46 breaks the build
this seems to do the trick:
go mod edit -replace go.opentelemetry.io/otel/metric=go.opentelemetry.io/otel/[email protected]
go mod edit -replace go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc=go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected]
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
We're largely dependent on this being resolved upstream as it's a dependency we pull in when vendoring k/k: https://github.com/kubernetes/kubernetes/pull/121842
In addition, my reading of this is that we're at low/no risk of it being exploited as we only use the UnaryServerInterceptor in the externalgrpc cloudprovider implementation, and we don't appear to have a metrics pipeline configured for it? Or am I missing something?
just our vuln scanner complaining and I would like to shut it up :D ... so yeah can wait until upstream fixes it, but would like to have it resolved eventually