Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/kube-rbac-proxy] Security issue with golang.org/x/crypto (CVE-2024-45337) and golang.org/x/net(CVE-2024-45338) #76220

Open
omkar-mane opened this issue Jan 13, 2025 · 1 comment
Open

[bitnami/kube-rbac-proxy] Security issue with golang.org/x/crypto (CVE-2024-45337) and golang.org/x/net(CVE-2024-45338) #76220

omkar-mane opened this issue Jan 13, 2025 · 1 comment
Assignees
@carrodher
Labels
kube-rbac-proxy tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@omkar-mane
Copy link

omkar-mane commented Jan 13, 2025
edited by carrodher
Loading

Name and Version

bitnami/kube-rbac-proxy:0.18.2

What steps will reproduce the bug?

Scan the bitnami/kube-rbac-proxy latest,0.18.2,0.18.2-debian-12-r2,0-debian-12,0 images with any security tool, such as Trivy:

$ trivy image bitnami/kube-rbac-proxy:latest --scanners vuln
2025-01-13T14:34:27+05:30	INFO	[vuln] Vulnerability scanning is enabled
2025-01-13T14:34:30+05:30	INFO	Number of language-specific files	num=3
2025-01-13T14:34:30+05:30	INFO	[gobinary] Detecting vulnerabilities...
2025-01-13T14:34:30+05:30	INFO	[bitnami] Detecting vulnerabilities...
2025-01-13T14:34:30+05:30	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

 (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌───────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│                Library                │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├───────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto (kube-rbac-proxy) │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.29.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                                       │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                                       │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├───────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net (kube-rbac-proxy)    │ CVE-2024-45338 │ HIGH     │        │ v0.31.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                                       │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │
└───────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

kube-rbac-proxy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.29.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2024-45338 │ HIGH     │        │ v0.31.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                     │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

What is the expected behavior?

We shouldn't get golang.org/x/crypto and golang.org/x/net vulnerability, as it is fixed upstream.

What do you see instead?

We are getting golang.org/x/crypto and golang.org/x/net vulnerability
@omkar-mane omkar-mane added the tech-issues The user has a technical issue about an application label Jan 13, 2025
@github-actions github-actions bot added the triage Triage is needed label Jan 13, 2025
@carrodher
Copy link
Member

I understand your concern about security vulnerabilities. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the application. Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here. In this case, the CVEs are included in the kube-rbac-proxy binary, we can't do anything else until the upstream maintainers cut a new release of kube-rbac-proxy updating the affected modules.

If you have any further questions, feel free to ask.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
kube-rbac-proxy tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carrodher @omkar-mane