containers
containers copied to clipboard
bitnami
Security Vulnerabilities
Name and Version
bitnami/kube-state-metrics:2.6.0
What steps will reproduce the bug?
Vulnerabilities scanned by PRISMA tool
What is the expected behavior?
No response
What do you see instead?
Our Security Scanning tools have identified CVEs in the following components listed. Can you please review this and provide an update on the following:
Documentation that explains the mitigation strategy that we can apply to reduce the severity level Details on when is this going to be fixed with the expected version number Container: fkbe-state-metrics Latest Version in use: 2.6.0
| Component | Version | Vulnerability | Severity |
|---|---|---|---|
| ncurses | 6.2+20201114-2 | CVE-2022-29458 | low |
| openssl | 1.1.1n-0+deb11u3 | CVE-2022-2097 | low |
| pcre2 | 10.36-2 | CVE-2022-1587 | low |
| pcre2 | 10.36-2 | CVE-2022-1586 | low |
| e2fsprogs | 1.46.2-2 | CVE-2022-1304 | low |
| glibc | 2.31-13+deb11u3 | CVE-2021-3999 | low |
| libsepol | 3.1-1 | CVE-2021-36087 | low |
| libsepol | 3.1-1 | CVE-2021-36086 | low |
| libsepol | 3.1-1 | CVE-2021-36085 | low |
| libsepol | 3.1-1 | CVE-2021-36084 | low |
| libgcrypt20 | 1.8.7-6 | CVE-2021-33560 | low |
| db5.3 | 5.3.28+dfsg1-0.8 | CVE-2019-8457 | low |
| curl | 7.74.0-1.3+deb11u2 | CVE-2022-35252 | low |
| perl | 5.32.1-4+deb11u2 | CVE-2020-16156 | low |
| coreutils | 8.32-4 | CVE-2016-2781 | low |
Additional information
No response
Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.
At this moment there is not any fixable vulnerability in the base image. There is a fixable vulnerability in the go binary itself, so the kube-state-metrics developer should release a new version, then our track and release system will release it on our side, but at this moment, we can't do anything else
trivy image --ignore-unfixed bitnami/kube-state-metrics:2.6.0
2022-09-09T08:03:27.917Z INFO Vulnerability scanning is enabled
2022-09-09T08:03:27.917Z INFO Secret scanning is enabled
2022-09-09T08:03:27.917Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-09T08:03:27.917Z INFO Please see also https://aquasecurity.github.io/trivy/v0.31.2/docs/secret/scanning/#recommendation for faster secret detection
2022-09-09T08:03:30.089Z INFO Detected OS: debian
2022-09-09T08:03:30.089Z INFO Detecting Debian vulnerabilities...
2022-09-09T08:03:30.102Z INFO Number of language-specific files: 1
2022-09-09T08:03:30.102Z INFO Detecting gobinary vulnerabilities...
bitnami/kube-state-metrics:2.6.0 (debian 11.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/kube-state-metrics/bin/kube-state-metrics (gobinary)
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
┌────────────────────────────────┬─────────────────────┬──────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.9.5+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-r48q-9g5r-8q2h │ UNKNOWN │ │ │ CORS filters that use an AllowedDomains configuration │
│ │ │ │ │ │ parameter │
│ │ │ │ │ │ can match domains outside the... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h │
└────────────────────────────────┴─────────────────────┴──────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Our Security Scanning tools have identified new CVEs in the following components listed. Can you please review this and provide an update on the following:
critical | go | CVE-2022-32190 |
high | go | CVE-2022-27664 |
As previously mentioned, according to the latest report:
$ trivy image --ignore-unfixed bitnami/kube-state-metrics
2022-09-30T13:27:15.016Z INFO Vulnerability scanning is enabled
2022-09-30T13:27:15.016Z INFO Secret scanning is enabled
2022-09-30T13:27:15.016Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-30T13:27:15.016Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-30T13:27:17.415Z INFO Detected OS: debian
2022-09-30T13:27:17.415Z INFO Detecting Debian vulnerabilities...
2022-09-30T13:27:17.428Z INFO Number of language-specific files: 1
2022-09-30T13:27:17.428Z INFO Detecting gobinary vulnerabilities...
bitnami/kube-state-metrics (debian 11.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/kube-state-metrics/bin/kube-state-metrics (gobinary)
Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.9.5+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-r48q-9g5r-8q2h │ UNKNOWN │ │ │ CORS filters that use an AllowedDomains configuration │
│ │ │ │ │ │ parameter │
│ │ │ │ │ │ can match domains outside the... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ v0.0.0-20220225172249-27dd8689420f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Those CVEs are part of the kube-state-metrics binary. We are releasing version 2.6.0 which is the latest version released bu the upstream project, see https://github.com/kubernetes/kube-state-metrics/releases/tag/v2.6.0. My recommendation in those cases is ask the upstream developers for a new version where those vulnerabilities are fixed/patched.
carrodher
Hi @carrodher ,
I observed the same CVE as @squarerootwik did.
I'm using images from https://hub.docker.com/layers/bitnami/kube-state-metrics/2.6.0/images/sha256-2b4cf812bd980dd0d9b8b36bac77285ce7e599e65191e478931c64b73bad84e6?context=explore
I understand that the CVEs are from the base image, may I know what exactly the base image is and who is the vendor? I'm going to open a case with the base image vendor to see if they have an idea.
Regards, Wei
The mentioned CVEs are not in the base image (which is Debian bullseye) but in the kube-state-metrics binary itself. You can see that by running trivy, the CVEs are divided by origin (OS, binary, etc):
$ trivy image --ignore-unfixed bitnami/kube-state-metrics
2022-10-28T06:35:52.320Z INFO Vulnerability scanning is enabled
2022-10-28T06:35:52.320Z INFO Secret scanning is enabled
2022-10-28T06:35:52.320Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-28T06:35:52.320Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-28T06:35:52.521Z INFO Detected OS: debian
2022-10-28T06:35:52.521Z INFO Detecting Debian vulnerabilities...
2022-10-28T06:35:52.534Z INFO Number of language-specific files: 1
2022-10-28T06:35:52.534Z INFO Detecting gobinary vulnerabilities...
bitnami/kube-state-metrics (debian 11.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/kube-state-metrics/bin/kube-state-metrics (gobinary)
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)
┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.9.5+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-r48q-9g5r-8q2h │ UNKNOWN │ │ │ CORS filters that use an AllowedDomains configuration │
│ │ │ │ │ │ parameter can match domains outside... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ v0.0.0-20220225172249-27dd8689420f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├────────────────────────────────┼─────────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│ │ │ │ │ │ takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Hi @carrodher
the trivy command only shows 4 CVEs while I observed more as @squarerootwik did
do you know what are the source of other CVEs? I'm using prisma scan https://apps.paloaltonetworks.com/apps
| Component | Version | Vulnerability | Severity |
|---|---|---|---|
| ncurses | 6.2+20201114-2 | CVE-2022-29458 | low |
| openssl | 1.1.1n-0+deb11u3 | CVE-2022-2097 | low |
| pcre2 | 10.36-2 | CVE-2022-1587 | low |
| pcre2 | 10.36-2 | CVE-2022-1586 | low |
| e2fsprogs | 1.46.2-2 | CVE-2022-1304 | low |
| glibc | 2.31-13+deb11u3 | CVE-2021-3999 | low |
| libsepol | 3.1-1 | CVE-2021-36087 | low |
| libsepol | 3.1-1 | CVE-2021-36086 | low |
| libsepol | 3.1-1 | CVE-2021-36085 | low |
| libsepol | 3.1-1 | CVE-2021-36084 | low |
| libgcrypt20 | 1.8.7-6 | CVE-2021-33560 | low |
| db5.3 | 5.3.28+dfsg1-0.8 | CVE-2019-8457 | low |
| curl | 7.74.0-1.3+deb11u2 | CVE-2022-35252 | low |
| perl | 5.32.1-4+deb11u2 | CVE-2020-16156 | low |
| coreutils | 8.32-4 | CVE-2016-2781 | low |
Unfortunately, those security vulnerabilities are not fixed by the underlying OS, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS itself.
The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.
@carrodher thanks for your response. I actually get confused because you said: The mentioned CVEs are not in the base image (which is Debian bullseye) but in the kube-state-metrics binary itself and those security vulnerabilities are not fixed by the underlying OS
I just want to double confirm, what's the source of the CVEs?
Regards, Wei
There are fixable CVEs in kube-state-metrics binary and non-fixable CVEs in the base image. You can see the difference when running the scanner with the --ignore-unfixed flag:
$ trivy image --ignore-unfixed bitnami/kube-state-metrics
2022-10-31T23:45:33.306Z INFO Vulnerability scanning is enabled
2022-10-31T23:45:33.307Z INFO Secret scanning is enabled
2022-10-31T23:45:33.307Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-31T23:45:33.307Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-31T23:45:33.501Z INFO Detected OS: debian
2022-10-31T23:45:33.501Z INFO Detecting Debian vulnerabilities...
2022-10-31T23:45:33.513Z INFO Number of language-specific files: 1
2022-10-31T23:45:33.513Z INFO Detecting gobinary vulnerabilities...
bitnami/kube-state-metrics (debian 11.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/bitnami/kube-state-metrics/bin/kube-state-metrics (gobinary)
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)
┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.9.5+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-r48q-9g5r-8q2h │ UNKNOWN │ │ │ CORS filters that use an AllowedDomains configuration │
│ │ │ │ │ │ parameter can match domains outside... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ v0.0.0-20220225172249-27dd8689420f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├────────────────────────────────┼─────────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│ │ │ │ │ │ takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
There are 0 fixable CVEs in the OS layer but 4 in the kube-state-metrics Go binary.
Then, if you run again the tool but without the --ignore-unfixed flag you will see several CVEs reported in the base image but without a patch at this moment.