ingress-nginx
ingress-nginx copied to clipboard
kubernetes
Vulnerability golang-runtime CVE-2022-30634
Hi,
We use image k8s.gcr.io/ingress-nginx/controller:v1.3.0, and our scanner (Protecode) report:
name golang-runtime
version 1.18.2 outdated
Latest version 1.18.4
website go.dev
component type Native
tags framework
Files (4)
Name Size Timestamp Matching methods
dbg 6.34 MB 2022/07/11 14:28 signature
nginx-ingress-controller 38.07 MB 2022/07/11 14:28 signature
nginx-ingress-controller 38.07 MB 2022/07/11 14:28 signature
wait-shutdown 2.87 MB 2022/07/11 14:28 signature
Vulnerabilities (1)
Vulnerability Date CVSS v2 CVSS v3 Type
CVE-2022-30634 2022/07/15 7.5 Exact match
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
I noticed golang verion is 1.18 in go.mod, and NVD saids before Go 1.17.11 and Go 1.18.3 on Windows, does it mean it's a false positive?
I noticed it use registry.k8s.io/ingress-nginx/e2e-test-runner:v20220624-g3348cd71e@sha256:2a34e322b7ff89abdfa0b6202f903bf5618578b699ff609a3ddabac0aae239c8 as build runtime, and in this image the golang version is 1.18.2
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
If I understand correctly the linux platform will not be affacted, am I right?
based on that description, yes. But no tests are available.
The project will eventually bump go version.
