stork icon indicating copy to clipboard operation
stork copied to clipboard

Published 20 hours ago verified publisher icon libopenstorage

Address security vulnerabilities with openstorage/stork:2.11.0

Open dvasilen opened this issue 2 years ago • 3 comments

Is this a BUG REPORT or FEATURE REQUEST?:

Security vulnerabilities

What happened:

The latest openstorage/stork:2.11.0 has a number of high and medium vulnerabilities

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages   How to Resolve
CVE-2022-29824     Active          libxml2             Upgrade libxml2 to >= 2.9.7-13.el8_6.1
CVE-2021-40528     Active          libgcrypt           Upgrade libgcrypt to >= 1.8.5-7.el8_6
CVE-2022-22576     Active          curl, libcurl       Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-27774     Active          curl, libcurl       Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-27776     Active          curl, libcurl       Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-27782     Active          curl, libcurl       Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-25313     Active          expat               Upgrade expat to >= 2.2.5-8.el8_6.2
CVE-2022-25314     Active          expat               Upgrade expat to >= 2.2.5-8.el8_6.2

What you expected to happen: The security vulnerabilities are addressed

How to reproduce it (as minimally and precisely as possible): Run vulnerability report for the openstorage/stork:2.11.0 docker image

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): 1.23.0
  • Cloud provider or hardware configuration: IKS
  • OS (e.g. from /etc/os-release): Ubuntu 18.04
  • Kernel (e.g. uname -a): GNU/Linux 4.15.0-188-generic
  • Install tools: https://docs.portworx.com/portworx-install-with-kubernetes/operate-and-maintain-on-kubernetes/upgrade/upgrade-daemonset/

dvasilen avatar Jul 22 '22 14:07 dvasilen

Thanks for reporting the issue. We will look into it. Can you share which image scan tool you used to find these vulnerabilities?

adityadani avatar Jul 22 '22 21:07 adityadani

We use IBM Vulnerability Advisor https://cloud.ibm.com/docs/va/va_index.html?interface=ui

dvasilen avatar Jul 23 '22 11:07 dvasilen

Here is the latest scan for openstorage/stork:2.11.2

Image 'openstorage/stork:2.11.2' was last scanned on Wed Aug 10 08:30:05 UTC 2022
The scan results show that 4 ISSUES were found for the image.

Vulnerable Packages Found
=========================

Vulnerability ID   Policy Status   Affected Packages       How to Resolve
CVE-2022-1586      Active          pcre2                   Upgrade pcre2 to >= 10.32-3.el8_6
CVE-2022-1292      Active          openssl-libs, openssl   Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-2068      Active          openssl-libs, openssl   Upgrade 2 packages. Re-run command with --extended to view.
CVE-2022-2097      Active          openssl-libs, openssl   Upgrade 2 packages. Re-run command with --extended to view.

To see the details about the fixes for these packages, run the command again with the '--extended' flag.

dvasilen avatar Aug 10 '22 14:08 dvasilen