kubernetes
CVE-2024-4603, CVE-2024-4741 in `registry.k8s.io/build-image/distroless-iptables:v0.6.2`
What happened:
CVE in registry.k8s.io/build-image/distroless-iptables:v0.6.2 image
➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.6.2
2024-09-02T23:44:36.552-0700 INFO Need to update DB
2024-09-02T23:44:36.553-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-09-02T23:44:36.553-0700 INFO Downloading DB...
52.71 MiB / 52.71 MiB [-----------------------------------------------------------------------------------------------------] 100.00% 20.13 MiB p/s 2.8s
2024-09-02T23:44:40.496-0700 INFO Vulnerability scanning is enabled
2024-09-02T23:44:40.496-0700 INFO Secret scanning is enabled
2024-09-02T23:44:40.496-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-02T23:44:40.496-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-09-02T23:44:48.201-0700 INFO Detected OS: debian
2024-09-02T23:44:48.201-0700 INFO Detecting Debian vulnerabilities...
2024-09-02T23:44:48.209-0700 INFO Number of language-specific files: 0
registry.k8s.io/build-image/distroless-iptables:v0.6.2 (debian 12.6)
Total: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
┌─────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-4603 │ MEDIUM │ fixed │ 3.0.13-1~deb12u1 │ 3.0.14-1~deb12u1 │ openssl: Excessive time spent checking DSA keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4603 │
│ ├───────────────┤ │ │ │ ├─────────────────────────────────────────────────────┤
│ │ CVE-2024-4741 │ │ │ │ │ openssl: Use After Free with SSL_free_buffers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4741 │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────┘
What you expected to happen:
New distroless-iptables images with CVEs resolved.
Looks like go-runner also needs update:
go-runner (gobinary)
====================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-[34](https://github.com/Azure/kube-egress-gateway/actions/runs/10803240810/job/29966762466?pr=718#step:9:35)156 │ HIGH │ fixed │ 1.23.0 │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘
We don't actually use OpenSSL? Or we shouldn't be (should be go stdlib crypto)
We can probably drop this from the image. I can't think why we even have it.
Something to investigate for sure ...
registry.k8s.io/build-image/distroless-iptables:v0.6.3 is fine, but we are stopping effort on go1.22.7/1.23.1 , and moving to go1.22.8/1.23.2, so v0.6.4 should be available soon.
trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.6.3
2024-10-15T09:09:13.611-0700 INFO Need to update DB
2024-10-15T09:09:13.611-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-10-15T09:09:13.611-0700 INFO Downloading DB...
54.29 MiB / 54.29 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 36.30 MiB p/s 1.7s
2024-10-15T09:09:15.770-0700 INFO Vulnerability scanning is enabled
2024-10-15T09:09:15.770-0700 INFO Secret scanning is enabled
2024-10-15T09:09:15.770-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T09:09:15.770-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2024-10-15T09:09:16.124-0700 INFO Detected OS: debian
2024-10-15T09:09:16.124-0700 INFO Detecting Debian vulnerabilities...
2024-10-15T09:09:16.125-0700 INFO Number of language-specific files: 0
registry.k8s.io/build-image/distroless-iptables:v0.6.3 (debian 12.7)
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The most recent image is v0.7.2, or v0.6.8
/remove-lifecycle rotten /close
@BenTheElder: Closing this issue.
In response to this:
The most recent image is v0.7.2, or v0.6.8
/remove-lifecycle rotten /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
