vertica
Fix code scanning alert - CVE-2022-27191
Tracking issue for:
- [ ] https://github.com/vertica/vertica-kubernetes/security/code-scanning/3
The package golang.org/x/crypto is used indirectly in the operator.
$ go mod why -m golang.org/x/crypto
# golang.org/x/crypto
github.com/vertica/vertica-kubernetes/cmd/operator
k8s.io/client-go/plugin/pkg/client/auth
k8s.io/client-go/plugin/pkg/client/auth/azure
github.com/Azure/go-autorest/autorest/adal
golang.org/x/crypto/pkcs12
It comes from k8s.io/client-go. We are currently using v0.24.0 of client-go. We can only update this once the operator-sdk is updated though. Leaving this open until we move up the operator-sdk to a version that fixes this.
This vulnerability doesn't look like it could be exploited in the operator. The vulnerability seems to occur when you use the golang.ord/x/crypto/ssh package to implement an ssh server. We only use this package as client authentication into the k8s apiserver. For more information, this google group post seemed to provide a good description of how the vulnerability can be exploited.
We upgraded the operator-sdk to v1.23.0, which changed the client-go tto v0.24.2. The vulnerability is still an issue in that version. Waiting for the next operator-sdk release.