Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-2961 in registry.k8s.io/build-image/distroless-iptables:v0.5.3 #3593

Closed
aramase opened this issue Apr 30, 2024 · 6 comments
Closed

CVE-2024-2961 in registry.k8s.io/build-image/distroless-iptables:v0.5.3 #3593

aramase opened this issue Apr 30, 2024 · 6 comments
Assignees
@cpanato
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. needs-priority sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@aramase
Copy link
Member

aramase commented Apr 30, 2024

What happened:

CVE in registry.k8s.io/build-image/distroless-iptables:v0.5.3 image

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.3
2024-04-30T15:09:32.487-0700	INFO	Vulnerability scanning is enabled
2024-04-30T15:09:32.488-0700	INFO	Secret scanning is enabled
2024-04-30T15:09:32.488-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-30T15:09:32.488-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-04-30T15:09:33.787-0700	INFO	Detected OS: debian
2024-04-30T15:09:33.788-0700	INFO	Detecting Debian vulnerabilities...
2024-04-30T15:09:33.799-0700	INFO	Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.5.3 (debian 12.5)

Total: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version  │                         Title                          │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2024-2961 │ HIGH     │ fixed  │ 2.36-9+deb12u4    │ 2.36-9+deb12u6 │ glibc: Out of bounds write in iconv may lead to remote │
│         │               │          │        │                   │                │ code...                                                │
│         │               │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-2961              │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────┘

What you expected to happen:

New distroless-iptables images with CVEs resolved.
@aramase aramase added area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Apr 30, 2024
@aramase aramase mentioned this issue May 2, 2024
Closed
@jwtty
Copy link
Member

jwtty commented May 6, 2024

+1 thanks

@saschagrunert
Copy link
Member

I assume we're updating the image as part of #3597 anyways, right @cpanato ?

@cpanato
Copy link
Member

cpanato commented May 7, 2024
edited

yes, will bump together with the upcoming go updates

@cpanato
Copy link
Member

cpanato commented May 7, 2024

/assign

@aramase
Copy link
Member Author

aramase commented Jun 4, 2024

v0.5.4 has been published and has no CVEs. Thanks @cpanato!

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.4
2024-06-04T11:00:22.888-0700	INFO	Need to update DB
2024-06-04T11:00:22.888-0700	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-06-04T11:00:22.888-0700	INFO	Downloading DB...
47.72 MiB / 47.72 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.13 MiB p/s 3.0s
2024-06-04T11:00:27.195-0700	INFO	Vulnerability scanning is enabled
2024-06-04T11:00:27.196-0700	INFO	Secret scanning is enabled
2024-06-04T11:00:27.196-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T11:00:27.196-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T11:00:30.690-0700	INFO	Detected OS: debian
2024-06-04T11:00:30.690-0700	INFO	Detecting Debian vulnerabilities...
2024-06-04T11:00:30.701-0700	INFO	Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.5.4 (debian 12.5)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

/close

@k8s-ci-robot
Copy link
Contributor

@aramase: Closing this issue.

In response to this:

v0.5.4 has been published and has no CVEs. Thanks @cpanato!

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.5.4
2024-06-04T11:00:22.888-0700	INFO	Need to update DB
2024-06-04T11:00:22.888-0700	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-06-04T11:00:22.888-0700	INFO	Downloading DB...
47.72 MiB / 47.72 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.13 MiB p/s 3.0s
2024-06-04T11:00:27.195-0700	INFO	Vulnerability scanning is enabled
2024-06-04T11:00:27.196-0700	INFO	Secret scanning is enabled
2024-06-04T11:00:27.196-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T11:00:27.196-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T11:00:30.690-0700	INFO	Detected OS: debian
2024-06-04T11:00:30.690-0700	INFO	Detecting Debian vulnerabilities...
2024-06-04T11:00:30.701-0700	INFO	Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.5.4 (debian 12.5)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpanato cpanato

Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. needs-priority sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@saschagrunert @cpanato @aramase @jwtty @k8s-ci-robot