opentelemetry-helm-charts icon indicating copy to clipboard operation
opentelemetry-helm-charts copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

bump kube-rbac-proxy for opentelemetry-operator to fix CVE

Open lreed-mdsol opened this issue 5 months ago • 1 comments

The latest opentelemetry-operator is still using version of kube-rbac-proxy quay.io/brancz/kube-rbac-proxy:v0.15.0.

https://github.com/open-telemetry/opentelemetry-helm-charts/blob/opentelemetry-operator-0.69.0/charts/opentelemetry-operator/values.yaml#L189%23L195

This version of kube-rbac-proxy has CRITICAL and HIGH CVEs.

twistcli images scan --address https://us-east1.cloud.twistlock.com/us-2-158256723 --token $PTOKEN --details quay.io/brancz/kube-rbac-proxy:v0.15.0

Scan results for: image quay.io/brancz/kube-rbac-proxy:v0.15.0 sha256:e56d15bd61cf8d5b85b5825b2c3a26c8b9459c0240e8376d9ea14c064d58693e Vulnerabilities | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+-----------------------------------------------------------------------------+---------+---------------------------------+-------------+------------+----------------------------------------------------+ | CVE-2024-24790 | critical | 9.80 | net/netip | 1.21.3 | fixed in 1.21.11, 1.22.4 | > 3 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, | | | | | | | > 3 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 | | | | | | | | | | addresses, returning false for addresses which | | | | | | | | | | would... |

Critical and HIGH vulnerabilities are fixed in in version kube-rbac-proxy:v0.18.0

twistcli images scan --address https://us-east1.cloud.twistlock.com/us-2-158256723 --token $PTOKEN --details quay.io/brancz/kube-rbac-proxy:v0.18.0

Scan results for: image quay.io/brancz/kube-rbac-proxy:v0.18.0 sha256:f11dcab913758ac5cdfdfb4c8209b0d1fd7bf3d22896e8b0e19518bea357de36 Vulnerabilities | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | | CVE-2024-28180 | medium | 0.00 | gopkg.in/square/go-jose.v2 | v2.6.0 | open | > 6 months | < 1 hour | Package jose aims to provide an implementation |

Vulnerabilities found for image quay.io/brancz/kube-rbac-proxy:v0.18.0: total - 2, critical - 0, high - 0, medium - 1, low - 1 Vulnerability threshold check results: PASS

It would be good to update the version of kube-rbac-proxy to fix this issue.

lreed-mdsol avatar Sep 12 '24 15:09 lreed-mdsol