azure-service-operator icon indicating copy to clipboard operation
azure-service-operator copied to clipboard

Published 20 hours ago verified publisher icon Azure

azure service operator 1.0.45297 vulnerabilities CVE-2022-1996

Open Ailsa-Wu opened this issue 3 years ago • 3 comments

There is still one high vulnerability in kubebuilder-kube-rbac-proxy:v0.13.0 and k8s-azureserviceoperator:1.0.45297.

Need to update go-restful to v3.8.0

image

Here is the reports: kubebuilder-kube-rbac-proxyv0130-2022-08-01-042715.pdf k8s-azureserviceoperator1045297-2022-08-01-042748.pdf

client-go would fix this issue with the release of k8s 1.25 according these issues, but the wait time may be very long. https://github.com/kubernetes/client-go/issues/1117 https://github.com/kubernetes/kubernetes/pull/110518

Notice that the mod github.com/emicklei/go-restful is actually referenced by k8s.io/kube-openapi, and the latest version of kube-openapi has fixed this issue . Could we update the version of kube-openapi first to fix this issue? image

Ailsa-Wu avatar Aug 01 '22 04:08 Ailsa-Wu

I don't believe there is a newer version of kube-rbac-proxy currently available. We will need to wait for the upstream fix of this issue before we can fix it.

matthchr avatar Aug 02 '22 17:08 matthchr

I think this scanned CVE related to go-restful should be false positive as aso don't provide any http api. If there is anything wrong, please correct me.

cbl315 avatar Aug 03 '22 07:08 cbl315

ASO technically has some HTTP API, in that it exposes webhooks. With that said, yes it's very likely ASO is not at risk of this CVE. There is no usage of go-restfuls CORS features in ASO or client-go that I can find.

Still, we should fix this CVE just to be clean, and we will do so as soon as we move to a newer version of client-go and kube-rbac-proxy ships a version with a fix.

matthchr avatar Aug 09 '22 00:08 matthchr