k8s-device-plugin icon indicating copy to clipboard operation
k8s-device-plugin copied to clipboard
verified publisher icon NVIDIA

Addressing several security vulnerabilities in the version v0.16.2

Open thle40 opened this issue 1 year ago • 1 comments

Release of version v0.16.2 run under Ubuntu 22.04.4 LT contains several vulnerabilities Some vulnerabilities can be fixed by upgrading the version of affected packages as below.

as requirement of our security remediating process in our org, we would like to report vulnerabilities for this version (though we will follow your release process)

CVE SEVERITY CVSS PACKAGE VERSION STATUS
CVE-2024-37371 medium 0.00 krb5 1.19.2-2ubuntu0.3 fixed in 1.19.2-2ubuntu0.4
CVE-2024-37370 medium 0.00 krb5 1.19.2-2ubuntu0.3 fixed in 1.19.2-2ubuntu0.4
CVE-2024-26462 medium 0.00 krb5 1.19.2-2ubuntu0.3 needed
CVE-2024-2236 medium 0.00 libgcrypt20 1.9.4-3ubuntu3 deferred
CVE-2022-4899 low 7.50 libzstd 1.4.8+dfsg-3build1 needed
CVE-2023-50495 low 6.50 ncurses 6.3-2ubuntu0.1 needed
CVE-2016-2781 low 6.50 coreutils 8.32-4.1ubuntu1.2 deferred
CVE-2023-7008 low 5.90 systemd 249.11-0ubuntu3.12 needed
CVE-2022-27943 low 5.50 gcc-12 12.3.0-1ubuntu1~22.04 needed
CVE-2023-29383 low 3.30 shadow 1:4.8.1-2ubuntu2.2 needed
CVE-2022-3219 low 3.30 gnupg2 2.2.27-3ubuntu2.1 deferred
CVE-2024-5535 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-4741 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-4603 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2024-26461 low 0.00 krb5 1.19.2-2ubuntu0.3 needed
CVE-2024-2511 low 0.00 openssl 3.0.2-0ubuntu1.16 fixed in 3.0.2-0ubuntu1.17
CVE-2023-45918 low 0.00 ncurses 6.3-2ubuntu0.1 needed

thle40 avatar Aug 20 '24 15:08 thle40

Definitely need these as well. Is it possible to prioritize patching openssl?

jmweir avatar Sep 23 '24 12:09 jmweir

Those CVEs come from Red Hat's UBI 9 base image and they are present even in the latest tag (9.5) which device plugin uses indirectly. Red Hat also states in the VEX for the image they won't be fixing most of those OpenSSL CVEs (which are all low anyhow).

chipzoller avatar Dec 18 '24 15:12 chipzoller

That makes sense. I'm curious though, why not just assemble these go binaries on a scratch image? Is it essential to derive the Docker build from UBI9?

jmweir avatar Dec 19 '24 14:12 jmweir

It needs the CUDA libraries and other external dependencies to function.

chipzoller avatar Dec 19 '24 15:12 chipzoller