Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TASK] Fix CVE issues for v1.7.0 (RC1) #8976

Closed
c3y1huang opened this issue Jul 11, 2024 · 7 comments
Closed

[TASK] Fix CVE issues for v1.7.0 (RC1) #8976

c3y1huang opened this issue Jul 11, 2024 · 7 comments
Assignees
@c3y1huang
Labels
area/security System or volume data access security kind/task General task request to fulfill another primary request
Milestone
v1.7.0

Comments

@c3y1huang
Copy link
Contributor

c3y1huang commented Jul 11, 2024
edited
Loading

What's the task? Please describe

Investigate CVE issues of the Longhorn component images to see if there are outstanding CVE issues that need to be fixed.

Describe the sub-tasks

https://github.com/longhorn/longhorn/blob/v1.7.x/deploy/longhorn-images.txt

Additional context

None
@c3y1huang c3y1huang added kind/task General task request to fulfill another primary request area/security System or volume data access security labels Jul 11, 2024
@c3y1huang c3y1huang added this to the v1.7.0 milestone Jul 11, 2024
@c3y1huang c3y1huang self-assigned this Jul 11, 2024
@c3y1huang
Copy link
Contributor Author

c3y1huang commented Jul 11, 2024
edited
Loading

This is a general task. Not a blocker for RC releases.
cc @derekbit @innobead

@c3y1huang
Copy link
Contributor Author

c3y1huang commented Jul 16, 2024
edited
Loading

Analyse RC1

Longhorn Components

longhornio/backing-image-manager:v1.7.0-rc1

longhornio/backing-image-manager:v1.7.0-rc1 (suse linux enterprise server 15.6)
===============================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Action: won't fix.

longhornio/longhorn-engine:v1.7.0-rc1

longhornio/longhorn-engine:v1.7.0-rc1 (suse linux enterprise server 15.6)
=========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Action: update dependencies.

longhornio/longhorn-instance-manager:v1.7.0-rc1

longhornio/longhorn-instance-manager:v1.7.0-rc1 (suse linux enterprise server 15.6)
===================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/grpc_health_probe (gobinary)
==========================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Action: update dependencies.

longhornio/longhorn-manager:v1.7.0-rc1

longhornio/longhorn-manager:v1.7.0-rc1 (suse linux enterprise server 15.6)
==========================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/sbin/longhorn-manager (gobinary)
==========================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.42.0           │ 0.46.0        │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │               │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

The go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is an indirect dependency, and the fixed version is not included in the current latest Kubernetes v1.30.3 release. Its included in the incoming v1.31.0 release.

Action: won't fix.

longhornio/longhorn-share-manager:v1.7.0-rc1

longhornio/longhorn-share-manager:v1.7.0-rc1 (suse linux enterprise server 15.6)
================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Action: won't fix.

longhornio/longhorn-ui:v1.7.0-rc1

longhornio/longhorn-ui:v1.7.0-rc1 (suse linux enterprise server 15.6)
=====================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Action: won't fix.

longhornio/support-bundle-kit:v0.0.39

=========================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬─────────────────────┬──────────┬────────┬─────────────────────┬─────────────────────┬──────────────────────────┐
│ Library │    Vulnerability    │ Severity │ Status │  Installed Version  │    Fixed Version    │          Title           │
├─────────┼─────────────────────┼──────────┼────────┼─────────────────────┼─────────────────────┼──────────────────────────┤
│ krb5    │ SUSE-SU-2024:2302-1 │ HIGH     │ fixed  │ 1.20.1-150500.3.6.1 │ 1.20.1-150500.3.9.1 │ Security update for krb5 │
└─────────┴─────────────────────┴──────────┴────────┴─────────────────────┴─────────────────────┴──────────────────────────┘

Action: release v0.0.40.

External Components

longhornio/csi-attacher:v4.5.1

longhornio/csi-attacher:v4.5.1 (debian 11.9)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-attacher (gobinary)
=======================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.44.0           │ 0.46.0          │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │                 │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2024-24790 │ CRITICAL │        │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for  │
│                                                              │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of          │
│                                                              │                │          │        │                   │                 │ CONTINUATION frames causes DoS                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Action: update to the current highest available minor version: registry.k8s.io/sig-storage/csi-attacher:v4.6.1.

longhornio/csi-provisioner:v4.0.1

longhornio/csi-provisioner:v4.0.1 (debian 11.9)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-provisioner (gobinary)
==========================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

The current highest available minor version upstream: registry.k8s.io/sig-storage/csi-provisioner:v4.0.1

Action: won't fix.

longhornio/csi-resizer:v1.10.1

longhornio/csi-resizer:v1.10.1 (debian 11.9)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-resizer (gobinary)
======================
Total: 3 (HIGH: 2, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.44.0           │ 0.46.0          │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │                 │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2024-24790 │ CRITICAL │        │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for  │
│                                                              │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of          │
│                                                              │                │          │        │                   │                 │ CONTINUATION frames causes DoS                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

Action: update to the current highest available minor version: registry.k8s.io/sig-storage/csi-resizer:v1.11.1.

longhornio/csi-snapshotter:v7.0.2

longhornio/csi-snapshotter:v7.0.2 (debian 11.9)
===============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-snapshotter (gobinary)
==========================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

The current highest available minor version upstream: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.2

Action: won't fix.

longhornio/csi-node-driver-registrar:v2.9.2

longhornio/csi-node-driver-registrar:v2.9.2 (debian 11.8)
=========================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


csi-node-driver-registrar (gobinary)
====================================
Total: 4 (HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.5            │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │ HIGH     │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Action: update to the current highest available minor version: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1.

longhornio/livenessprobe:v2.12.0

longhornio/livenessprobe:v2.12.0 (debian 11.8)
==============================================
Total: 0 (HIGH: 0, CRITICAL: 0)


livenessprobe (gobinary)
========================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.5            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

The current highest available minor version upstream: registry.k8s.io/sig-storage/livenessprobe:v2.12.0

Action: won't fix.

longhornio/openshift-origin-oauth-proxy:4.14

longhornio/openshift-origin-oauth-proxy:4.14 (redhat 8.6)
=========================================================
Total: 25 (HIGH: 25, CRITICAL: 0)

┌────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │  Installed Version   │    Fixed Version     │                            Title                             │
├────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ bind-libs              │ CVE-2023-4408  │ HIGH     │ fixed  │ 32:9.11.36-3.el8_6.5 │ 32:9.11.36-3.el8_6.7 │ bind9: Parsing large DNS messages may cause excessive CPU    │
│                        │                │          │        │                      │                      │ load                                                         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-4408                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50387 │          │        │                      │                      │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50868 │          │        │                      │                      │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                        │                │          │        │                      │                      │ CPU resources                                                │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ bind-libs-lite         │ CVE-2023-4408  │          │        │                      │                      │ bind9: Parsing large DNS messages may cause excessive CPU    │
│                        │                │          │        │                      │                      │ load                                                         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-4408                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50387 │          │        │                      │                      │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50868 │          │        │                      │                      │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                        │                │          │        │                      │                      │ CPU resources                                                │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ bind-license           │ CVE-2023-4408  │          │        │                      │                      │ bind9: Parsing large DNS messages may cause excessive CPU    │
│                        │                │          │        │                      │                      │ load                                                         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-4408                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50387 │          │        │                      │                      │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50868 │          │        │                      │                      │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                        │                │          │        │                      │                      │ CPU resources                                                │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ bind-utils             │ CVE-2023-4408  │          │        │                      │                      │ bind9: Parsing large DNS messages may cause excessive CPU    │
│                        │                │          │        │                      │                      │ load                                                         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-4408                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50387 │          │        │                      │                      │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50868 │          │        │                      │                      │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                        │                │          │        │                      │                      │ CPU resources                                                │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
├────────────────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc                  │ CVE-2024-2961  │          │        │ 2.28-189.6.el8_6     │ 2.28-189.10.el8_6    │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                      │                      │ code...                                                      │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                      │                      │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ glibc-common           │ CVE-2024-2961  │          │        │                      │                      │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                      │                      │ code...                                                      │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                      │                      │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ glibc-gconv-extra      │ CVE-2024-2961  │          │        │                      │                      │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                      │                      │ code...                                                      │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                      │                      │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ glibc-langpack-en      │ CVE-2024-2961  │          │        │                      │                      │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                      │                      │ code...                                                      │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                      │                      │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ glibc-minimal-langpack │ CVE-2024-2961  │          │        │                      │                      │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                      │                      │ code...                                                      │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                      │                      │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ python3-bind           │ CVE-2023-4408  │          │        │ 32:9.11.36-3.el8_6.5 │ 32:9.11.36-3.el8_6.7 │ bind9: Parsing large DNS messages may cause excessive CPU    │
│                        │                │          │        │                      │                      │ load                                                         │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-4408                    │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50387 │          │        │                      │                      │ bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50387                   │
│                        ├────────────────┤          │        │                      │                      ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-50868 │          │        │                      │                      │ bind9: Preparing an NSEC3 closest encloser proof can exhaust │
│                        │                │          │        │                      │                      │ CPU resources                                                │
│                        │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2023-50868                   │
└────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

usr/bin/oauth-proxy (gobinary)
==============================
Total: 6 (HIGH: 5, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                            │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108      │ HIGH     │ fixed  │ v0.35.0           │ 0.46.0                           │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                     │          │        │                   │                                  │ to unbound cardinality metrics                              │
│                                                              │                     │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142      │          │        │ v0.35.1           │ 0.44.0                           │ opentelemetry: DoS vulnerability in otelhttp                │
│ tp                                                           │                     │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45142                  │
├──────────────────────────────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ GHSA-m425-mq94-257g │          │        │ v1.51.0           │ 1.56.3, 1.57.1, 1.58.3           │ gRPC-Go HTTP/2 Rapid Reset vulnerability                    │
│                                                              │                     │          │        │                   │                                  │ https://github.com/advisories/GHSA-m425-mq94-257g           │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2024-24790      │ CRITICAL │        │ 1.20.10           │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for  │
│                                                              │                     │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                  │
│                                                              │                     │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                  │
│                                                              ├─────────────────────┼──────────┤        │                   ├──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-45283      │ HIGH     │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\   │
│                                                              │                     │          │        │                   │                                  │ prefix as...                                                │
│                                                              │                     │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                  │
│                                                              ├─────────────────────┤          │        │                   ├──────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2023-45288      │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of          │
│                                                              │                     │          │        │                   │                                  │ CONTINUATION frames causes DoS                              │
│                                                              │                     │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Action: not in scope, we can update to the suggested version: quay.io/openshift/origin-oauth-proxy:4.15 (#8976 (comment))

@c3y1huang
Copy link
Contributor Author

longhornio/openshift-origin-oauth-proxy:4.14

longhornio/openshift-origin-oauth-proxy:4.14 (redhat 8.6)
=========================================================
Total: 25 (HIGH: 25, CRITICAL: 0)

@derekbit , @mantissahz , is this within our scope for CVE?

cc @innobead

@mantissahz
Copy link
Contributor

mantissahz commented Jul 16, 2024
edited
Loading

longhornio/openshift-origin-oauth-proxy:4.14
longhornio/openshift-origin-oauth-proxy:4.14 (redhat 8.6)
=========================================================
Total: 25 (HIGH: 25, CRITICAL: 0)
@derekbit , @mantissahz , is this within our scope for CVE?

We just mirrored it from https://quay.io/repository/openshift/origin-oauth-proxy?tab=tags and I think we can update it to 4.15 because we had some tests on OKD 4.15 (#8300) but it should not be within our scope for CVE.

cc @derekbit, @innobead.

@c3y1huang c3y1huang mentioned this issue Jul 16, 2024
Merged
@yangchiu yangchiu mentioned this issue Jul 17, 2024
Open
19 tasks
This was referenced Jul 18, 2024
Merged
Merged
This was referenced Jul 18, 2024
Merged
Merged
Merged
Merged
@c3y1huang c3y1huang mentioned this issue Jul 18, 2024
Merged
@c3y1huang
Copy link
Contributor Author

c3y1huang commented Jul 19, 2024
edited
Loading

Action Summary

  • longhornio/longhorn-engine: Update dependencies.
    • grpc_health_probe v0.4.28.
  • longhornio/longhorn-instance-manager: Update dependencies.
    • grpc_health_probe v0.4.28.
  • longhornio/support-bundle-kit Update base image.
    • Release v0.0.40.
  • longhornio/csi-attacher: Update version.
    • Current highest available minor version: v4.6.1.
  • longhornio/csi-resizer: Update version.
    • Current highest available minor version: v1.11.1.
  • longhornio/csi-node-driver-registrar: Update version.
    • Current highest available minor version: v2.10.1.
  • longhornio/openshift-origin-oauth-proxy: Update version.

Won't Fix

  • longhornio/backing-image-manager:
    • No CVE vulnerability detected.
  • longhornio/longhorn-manager:
    • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is an indirect dependency, and the fixed version is not included in the current latest Kubernetes v1.30.3 release. Its included in the incoming v1.31.0 release.
  • longhornio/longhorn-share-manager:
    • No CVE vulnerability detected.
  • longhornio/longhorn-ui:
    • No CVE vulnerability detected.
  • longhornio/csi-provisioner:
    • The current version is the same as the highest available minor version: v4.0.1.
  • longhornio/csi-snapshotter:
    • The current version is the same as the highest available minor version: v7.0.2.
  • longhornio/livenessprobe:
    • The current version is the same as the highest available minor version: v2.12.0.

@c3y1huang c3y1huang changed the title [TASK] Fix CVE issues for v1.7.0 [TASK] Fix CVE issues for v1.7.0 (RC1) Jul 19, 2024
@c3y1huang c3y1huang mentioned this issue Jul 19, 2024
Merged
@mergify mergify bot mentioned this issue Jul 19, 2024
Merged
@c3y1huang c3y1huang mentioned this issue Jul 19, 2024
Merged
@longhorn-io-github-bot
Copy link

longhorn-io-github-bot commented Jul 29, 2024
edited by c3y1huang
Loading

Pre Ready-For-Testing Checklist

This was referenced Jul 29, 2024
Merged
Merged
@c3y1huang
Copy link
Contributor Author

All PRs have been merged. This doesn't require effort from @longhorn/qa , any issues introduced should be detected in the daily regression run. Closing.

@derekbit derekbit moved this to Closed in Longhorn Sprint Aug 3, 2024
@c3y1huang c3y1huang mentioned this issue Aug 5, 2024
Closed
This was referenced Aug 30, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@c3y1huang c3y1huang

Labels
area/security System or volume data access security kind/task General task request to fulfill another primary request
Projects
Longhorn Sprint
Status: Closed
Milestone
v1.7.0
Development

No branches or pull requests
3 participants
@mantissahz @c3y1huang @longhorn-io-github-bot