k8s-rdma-shared-dev-plugin
k8s-rdma-shared-dev-plugin copied to clipboard
Mellanox
Critical and high CVEs found in image ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2
The latest release image ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 contains 2 critical and 4 high CVEs:
| IMAGE | SEVERITY | IMPACTED PACKAGE | FIXED VERSIONS | CVEs |
|---|---|---|---|---|
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | Critical | 3.18:ssl_client | 1.36.1-r1 | CVE-2022-48174 |
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | Critical | 3.18:busybox | 1.36.1-r1 | CVE-2022-48174 |
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | High | 3.18:libcrypto3 | 3.1.4-r0 | CVE-2023-5363 |
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | High | 3.18:libssl3 | 3.1.4-r0 | CVE-2023-5363 |
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | High | 3.18:libcrypto3 | 3.1.3-r0 | CVE-2016-7798 |
| ghcr.io/mellanox/k8s-rdma-shared-dev-plugin:v1.5.2 | High | 3.18:libssl3 | 3.1.3-r0 | CVE-2016-7798 |
@gseidlerhpe could you please clarify what CVE scanner did you use? We are using JFrog Xray, version 3.111.15, with the default CVE policy and rules.
I dont think we use dynamic linking so these libs are not used
Perhaps we need to switch to distroless to reduce e the churn
I dont think we use dynamic linking so these libs are not used
Perhaps we need to switch to distroless to reduce e the churn Is there an official security bulletin from NVIDIA on these k8s-rdma-shared-dev-plugin:v1.5.2 CVEs and that the affected libraries are not used?
@gseidlerhpe can you please the new tag to check all the CVEs are fixed? The new tag is: v1.5.3
