NVIDIA
gpu-operator image - nvcr.io/nvidia/gpu-operator:v23.9.1 - Critical Vulnerabilities Found
Hi Team,
I've deployed an NVIDIA GPU Operator in Azure AKS 1.27.7. The pods are up/running.
However, I see critical vulnerabilities in "gpu-operator" image. Please have a look at it. Looks like the fixes are not available for these components.
Runtime Analysis Details:
The reason behind raising this issue is, in some organizations: Applications that contain critical vulnerabilities won't be considered unless it is fixed/patched. In this case, the fix is not available but still, I just thought of getting your feedback/take on this.
Security Scanning provided by NGC show a different status:
https://catalog.ngc.nvidia.com/orgs/nvidia/containers/gpu-operator/security?tag=v23.9.1&architecture=amd64
There is no critical vulnerability reported by Anchore which is the tool used by NGC.
We checked internally with our security team and below the feedback:
"This is most likely due to the different prioritization of vulnerability feeds. We use feeds closer to the packages before we use NVD.
- Code repo-specific security data (e.g. GHSA)
- Distro specific feeds
- NVD if package not covered by #2 or #1.
This has proven to be the most accurate representation of the severity.
It looks like the first scanner uses the severity from NVD (critical), where Anchore use a distro feed (Canonical has this as disputed/ low [https://ubuntu.com/security/CVE-2019-1010022]) "
@francisguillier Thanks for sharing valuable information on this.
Appreciate your input and support.