Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE's in kube-webhook-certgen image #11997

Closed
toffiebotha opened this issue Sep 19, 2024 · 4 comments
Closed

CVE's in kube-webhook-certgen image #11997

toffiebotha opened this issue Sep 19, 2024 · 4 comments
Assignees
@Gacko @strongjz @rikatz
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@toffiebotha
Copy link

The v20231226-1a7112e06 tag of kube-webhook-certgen pulled from registry.k8s.io/ingress-nginx contains the following vulnerabilities.

These issues were found through Azure Defender and Docker Scout

CVE ID SEVERITY VULNERABLE PACKAGE NAME INSTALLED VERSION FIXED IN VERSION
CVE-2024-24786 High google.golang.org/protobuf 1.26.0.0 1.33.0
CVE-2023-45288 High golang.org/x/net 0.17.0.0 0.23.0

Originally used tag v20221220-controller-v1.5.1-58-g787ea74b6 and noticed v20231226-1a7112e06 fixes a couple of other CVE's.
Wasn't able to pick up the tagging strategy for this image - Is v20231226-1a7112e06 considered officially released?

Updating to the latest versions of these dependencies would help with security compliance.
@toffiebotha toffiebotha added the kind/bug Categorizes issue or PR as related to a bug. label Sep 19, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 19, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Gacko
Copy link
Member

Gacko commented Sep 19, 2024

Please use v1.4.3 of the image. This is included in the latest releases of our chart (v4.11.2 & v4.10.4).

Here's the go.mod at the point of building this version of the image:

https://github.com/kubernetes/ingress-nginx/blob/b933310da5914adbf3f243b5cf902c245d5a0cef/images/kube-webhook-certgen/rootfs/go.mod

@Gacko Gacko closed this as completed Sep 19, 2024
@toffiebotha
Copy link
Author

toffiebotha commented Sep 20, 2024
edited
Loading

Excellent! Thanks for the quick response! I can confirm v1.4.3 contains the updated versions.
Would you mind explaining the image tags?
v20221220-controller-v1.5.1-58-g787ea74b6 which contains v.1.5.1 in the text seemed higher in version, and v20231226-1a7112e06' date text was higher which I took for a later image/version, but inspecting v1.4.3 I can see it was pushed just a month ago.

@toffiebotha toffiebotha mentioned this issue Sep 20, 2024
Open
@Gacko
Copy link
Member

Gacko commented Sep 20, 2024

Hey,

I'm sorry for the confusion about the image tags. We are trying to improve this situation with every release.

The v1.5.1 references the Ingress NGINX Controller version the Kubernetes Webhook CertGen image was released with.

Regards
Marco

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Gacko Gacko

@strongjz strongjz

@rikatz rikatz

Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Gacko @strongjz @rikatz @k8s-ci-robot @toffiebotha