Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sriov-network-device-plugin v3.5.1 container image security vulnerabilities #447

Open
mashuting opened this issue Oct 24, 2022 · 1 comment

Comments

@mashuting
Copy link

mashuting commented Oct 24, 2022

What happened?
HIGH and CRITICAL vulnerabilities issues found in ssriov-network-device-plugin v3.5.1 container image(ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1)

REPORT:

root@[ ~ ]# docker run aquasec/trivy image ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1
2022-10-23T13:03:28.033Z	INFO	Need to update DB
2022-10-23T13:03:28.034Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-10-23T13:03:28.034Z	INFO	Downloading DB...
12.16 MiB / 34.58 MiB [--------------------->_______________________________________] 35.16% ? p/s ?24.81 MiB / 34.58 MiB [------------------------------------------->_________________] 71.75% ? p/s ?34.58 MiB / 34.58 MiB [----------------------------------------------------------->] 100.00% ? p/s ?34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [--------------------------------------------------] 100.00% 9.57 MiB p/s 3.8s2022-10-23T13:03:32.642Z	INFO	Vulnerability scanning is enabled
2022-10-23T13:03:32.642Z	INFO	Secret scanning is enabled
2022-10-23T13:03:32.642Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-23T13:03:32.642Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-23T13:03:37.046Z	INFO	Detected OS: alpine
2022-10-23T13:03:37.046Z	INFO	Detecting Alpine vulnerabilities...
2022-10-23T13:03:37.049Z	INFO	Number of language-specific files: 1
2022-10-23T13:03:37.049Z	INFO	Detecting gobinary vulnerabilities...

ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1 (alpine 3.16.0)
===============================================================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox      │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to  │
│              │                │          │                   │               │ denial of service...                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                  │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├──────────────┤                │          │                   │               │                                                             │
│ libssl1.1    │                │          │                   │               │                                                             │
│              │                │          │                   │               │                                                             │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client   │ CVE-2022-30065 │ HIGH     │ 1.35.0-r13        │ 1.35.0-r15    │ busybox: A use-after-free in Busybox's awk applet leads to  │
│              │                │          │                   │               │ denial of service...                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                  │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
│              │                │          │                   │               │ in inflate.c via a...                                       │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/bin/sriovdp (gobinary)
==========================
Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996       │ CRITICAL │ v2.10.0+incompatible               │ 2.16.0                            │ go-restful: Authorization Bypass Through User-Controlled Key │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-1996                    │
│                                ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                │ GHSA-r48q-9g5r-8q2h │ UNKNOWN  │                                    │                                   │ CORS filters that use an AllowedDomains configuration        │
│                                │                     │          │                                    │                                   │ parameter                                                    │
│                                │                     │          │                                    │                                   │ can match domains outside the...                             │
│                                │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h            │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net               │ CVE-2022-27664      │ HIGH     │ v0.0.0-20220127200216-cd36cc0744dd │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys               │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20220209214540-3681064d5158 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text              │ CVE-2022-32149      │ HIGH     │ v0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                                │                     │          │                                    │                                   │ takes a long time to parse complex tags                      │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

What did you expect to happen?
0 HIGH and CRITICAL security vulnerabilities

@zhouke1991
Copy link

Hi, is there a plan to release a new version? I found out this commit 22ec1f3 fixed the "go-restful" critical CVE. We'd like to have a new version containing this commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants