Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Are high vulnerabilities being addressed? #402

Open
ronkara opened this issue Mar 22, 2023 · 10 comments
Open

Are high vulnerabilities being addressed? #402

ronkara opened this issue Mar 22, 2023 · 10 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.

Comments

@ronkara
Copy link

ronkara commented Mar 22, 2023

Hello,
This is a question however vulnerability updating per NIST standards requires them to be resolved within specific timeframes. We would like to update to version 1.11 from 1.10 however we are not seeing resolution of the CVEs listed below even though there are fixes available. Can you tell me when version 1.12 will be released and if it will fix the libcrypto and libssl vulns associated with the CVEs? I am required to publish updates to our customers on a monthly basis regarding existing vulns and if they are not remediated within expected timeframes when the last time I contacted the vendor was, etc.

CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

thank you!

@ronkara
Copy link
Author

ronkara commented Apr 7, 2023

Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs?

@mauriciopoppe
Copy link
Member

These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod

@ronkara
Copy link
Author

ronkara commented Apr 11, 2023

Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built.

@mauriciopoppe
Copy link
Member

mauriciopoppe commented Apr 12, 2023

Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver.

I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42.

If you're using this in production maybe you should evaluate other solutions.

@xing-yang
Copy link
Contributor

@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them.

@xing-yang
Copy link
Contributor

/help wanted

@ronkara
Copy link
Author

ronkara commented Apr 27, 2023

hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows:

libcrypto1.1 fix version 1.1.1t-r0
libssl1.1 fix version 1.1.1t-r0

The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us.

@singhc1997
Copy link

Hi @xing-yang as @ronkara mentioned the following CVEs above:
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286
They seem to be related to the openssl 3.0.7-r2 package which I am assuming comes with the alpine image. Since they are OS vulns I was thinking by pulling the latest alpine image will resolve these vulnerabilities because apk update && apk upgrade will also pull in the new packages when we rebuilt the image.

@xing-yang xing-yang added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label May 3, 2023
@ronkara
Copy link
Author

ronkara commented May 9, 2023

/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997.

@jingxu97
Copy link
Contributor

@ronkara wondering you will have some bandwidth to help fix this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants