csi-driver-host-path icon indicating copy to clipboard operation
csi-driver-host-path copied to clipboard
verified publisher icon kubernetes-csi

Are high vulnerabilities being addressed?

Open ronkara opened this issue 2 years ago • 10 comments

Hello, This is a question however vulnerability updating per NIST standards requires them to be resolved within specific timeframes. We would like to update to version 1.11 from 1.10 however we are not seeing resolution of the CVEs listed below even though there are fixes available. Can you tell me when version 1.12 will be released and if it will fix the libcrypto and libssl vulns associated with the CVEs? I am required to publish updates to our customers on a monthly basis regarding existing vulns and if they are not remediated within expected timeframes when the last time I contacted the vendor was, etc.

CVE-2022-4450 CVE-2023-0215 CVE-2023-0286

thank you!

ronkara avatar Mar 22 '23 14:03 ronkara

Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs?

ronkara avatar Apr 07 '23 12:04 ronkara

These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod

mauriciopoppe avatar Apr 08 '23 22:04 mauriciopoppe

Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built.

ronkara avatar Apr 11 '23 17:04 ronkara

Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver.

I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42.

If you're using this in production maybe you should evaluate other solutions.

mauriciopoppe avatar Apr 12 '23 17:04 mauriciopoppe

@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them.

xing-yang avatar Apr 26 '23 17:04 xing-yang

/help wanted

xing-yang avatar Apr 26 '23 17:04 xing-yang

hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows:

libcrypto1.1 fix version 1.1.1t-r0 libssl1.1 fix version 1.1.1t-r0

The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us.

ronkara avatar Apr 27 '23 19:04 ronkara

Hi @xing-yang as @ronkara mentioned the following CVEs above: CVE-2022-4450 CVE-2023-0215 CVE-2023-0286 They seem to be related to the openssl 3.0.7-r2 package which I am assuming comes with the alpine image. Since they are OS vulns I was thinking by pulling the latest alpine image will resolve these vulnerabilities because apk update && apk upgrade will also pull in the new packages when we rebuilt the image.

singhc1997 avatar Apr 27 '23 19:04 singhc1997

/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997.

ronkara avatar May 09 '23 12:05 ronkara

@ronkara wondering you will have some bandwidth to help fix this?

jingxu97 avatar May 24 '23 17:05 jingxu97