calico
calico copied to clipboard
projectcalico
Critical CVE in calico CNI
Hello,
@caseydavenport @gpang-tigera @coutinhop I've scanned several versions of calico cni image with Trivy even the last ones 3.25-DEV versions and they are impacted with the CVE-2022-1996 of the go-restful v2.11.2 library from the repo github.com/emicklei/go-restful in the path opt/cni/bin/calico. This CVE is fixed in the 2.16 version of this library.
Will you fix this CVE in the next version 3.25 version ?
Regards,
@wicemsmondel github.com/emicklei/go-restful is an indirect dependency (of K8s components). The vulnerable function is not used in any of these components. See: https://github.com/kubernetes/kubernetes/pull/110518
we don't use the impacted feature, ....
Thus, the dependency does not have any effect (we are not vulnerable). cc- @caseydavenport @lmm
Great, thanks for following up @Behnam-Shobiri
From our conversation, to fix the scanners we'd need to update the following dependencies:
k8s.io/kubernetes to v1.25.1 k8s.io/kube-openapi to v0.0.0-20220803162953-67bda5d908f1 github.com/onsi/gomega to v1.20.1
@caseydavenport Yes, both in main dependencies and apiserver dependencies.
Hello @yury-kustov-improvado, The same is true for calico/node:release-3.25. I know we are planning to update the K8s version in the next release, so hopefully, the next release will not show this CVE at all.
Please note that Calico 3.25.1 was released and the version of K8s was updated. As I mentioned before, it did not have any effect on the previous version as well; but, to follow best security practices, it was updated and the CVE was removed. Therefore this CVE does not exist anymore
@caseydavenport I think we can close this issue now.