CVE-2024-6119 in controller:v1.11.2

[yizhang-zen]

What scanner and version reported the CVE?

➔ grype --version
grype 0.80.0

What CVE was reported in the scanner findings?

libcrypto3                      3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High
libssl3                         3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High
openssl                         3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High

What versions of the controller did you test with?

registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce

Please provider other details that will help us determine the severity of the issue

CVE-2024-6119
Our internal scanner labeled it as severity High.

[longwuyuan]

It will be fixed in the next release of the controller

/triage-accepted

[longwuyuan]

% grype `k -n ingress-nginx describe po ingress-nginx-controller-7b7b559f8b-5cspd| grep -i image: | awk '{print $2}'`
 ✔ Vulnerability DB                [no update available]  
 ✔ Loaded image                                                registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
 ✔ Parsed image                                                                                                 sha256:a80c8fd6e52292d38d4e58453f310d612da59d802a3b62f4b88a21c50178f7ab
 ✔ Cataloged contents                                                                                                  7c13334325ce9dab5664c6a4e74bd144352e4e0d9867c12f1689ce11c8294035
   ├── ✔ Packages                        [210 packages]  
   ├── ✔ File digests                    [783 files]  
   ├── ✔ File metadata                   [783 locations]  
   └── ✔ Executables                     [214 executables]  
 ✔ Scanned for vulnerabilities     [31 vulnerability matches]  
   ├── by severity: 0 critical, 9 high, 7 medium, 1 low, 0 negligible (14 unknown)
   └── by status:   6 fixed, 25 not-fixed, 0 ignored 
NAME                            INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
curl                            8.9.0-r0   8.9.1-r0  apk        CVE-2024-7264        Medium    
github.com/opencontainers/runc  v1.1.13    1.1.14    go-module  GHSA-jfvp-7x6p-h2pv  Low       
grpc                            1.62.1-r0            apk        CVE-2024-7246        Unknown   
grpc-cpp                        1.62.1-r0            apk        CVE-2024-7246        Unknown   
libaddress_sorting              1.62.1-r0            apk        CVE-2024-7246        Unknown   
libcrypto3                      3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High      
libcurl                         8.9.0-r0   8.9.1-r0  apk        CVE-2024-7264        Medium    
libgpr                          1.62.1-r0            apk        CVE-2024-7246        Unknown   
libgrpc                         1.62.1-r0            apk        CVE-2024-7246        Unknown   
libgrpc_unsecure                1.62.1-r0            apk        CVE-2024-7246        Unknown   
libssl3                         3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High      
libupb_base_lib                 1.62.1-r0            apk        CVE-2024-7246        Unknown   
libupb_json_lib                 1.62.1-r0            apk        CVE-2024-7246        Unknown   
libupb_mem_lib                  1.62.1-r0            apk        CVE-2024-7246        Unknown   
libupb_message_lib              1.62.1-r0            apk        CVE-2024-7246        Unknown   
libupb_textformat_lib           1.62.1-r0            apk        CVE-2024-7246        Unknown   
nginx                           1.25.5               binary     CVE-2024-7347        Medium    
nginx                           1.25.5               binary     CVE-2024-35200       Medium    
nginx                           1.25.5               binary     CVE-2024-34161       Medium    
nginx                           1.25.5               binary     CVE-2024-32760       Medium    
nginx                           1.25.5               binary     CVE-2024-31079       Medium    
openssl                         3.3.1-r3   3.3.2-r0  apk        CVE-2024-6119        High      
stdlib                          go1.22.6             go-module  CVE-2024-34158       High      
stdlib                          go1.22.6             go-module  CVE-2024-34156       High      
stdlib                          go1.22.6             go-module  CVE-2024-34155       Unknown
[~] 

[longwuyuan]

/triage accepted

[sunnybangale]

@longwuyuan Do you have any estimated date on the next release of the controller?

[Gacko]

We are currently working on it. There will be a v1.12.0 (maybe a beta first), v1.11.3 and v1.10.5, all of them containing the required patches.