Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 #281

Closed
nirav-radia-sp opened this issue Feb 28, 2024 · 7 comments
Closed

CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 #281

nirav-radia-sp opened this issue Feb 28, 2024 · 7 comments
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project

Comments

@nirav-radia-sp
Copy link

18:58:19 + python /app/cs_imagescan.py --repo <ECR_REPO>/mirror/quay.io/brancz/kube-rbac-proxy --skip-push --tag v0.16.0 -c us-2
18:58:19 INFO Downloading Image Scan Report
18:58:30 INFO Searching for vulnerabilities in scan report...
18:58:30 WARNING HIGH CVE-2023-47108 Vulnerability detected affecting go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0
18:58:30 INFO Searching for leaked secrets in scan report...
18:58:30 INFO Searching for malware in scan report...
18:58:30 INFO Searching for misconfigurations in scan report...
18:58:30 ERROR Exiting: Vulnerability score threshold exceeded: '500' out of '500'

We're seeing above vulnerability in the latest (v0.16.0) version of the kube-rbac-proxy. What is the mitigation timeline for fixing this?
@changluyi
Copy link

I encounter the same issue and committed a pr , but no one reply me
#282

@ibihim
Copy link
Collaborator

ibihim commented Mar 18, 2024
edited

Hi,

I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.

I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).

kubernetes/kubernetes#121338 (comment)

@ibihim ibihim added the not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project label Mar 18, 2024
@ibihim
Copy link
Collaborator

ibihim commented Mar 18, 2024
edited

@changluyi, your PRs are not working.

It would be nice if you could at least check if it builds.

@ibihim
Copy link
Collaborator

ibihim commented Mar 25, 2024

Should be fixed with #287

@nirav-radia-sp
Copy link
Author

Should be fixed with #287

@ibihim The CVE is pointing to otelgrpc v0.42.0 as the source of vulnerability. But we have not updated that reference in above PR. Curious how is that fixing the said issue?

@ibihim
Copy link
Collaborator

ibihim commented Apr 4, 2024

Does it not? I assumed that k8s fixed it in v1.29

https://github.com/kubernetes/kubernetes/blob/master/go.mod#L68

Curious why upstream doesn't fix it...

... Anyway, I will try to bump it then by hand. It is not easy to bump the telemetry stuff. It looks like their dependencies are a "Kuddelmuddel", we would say in Germany. A mess. And it doesn't effect krp.

@ibihim
Copy link
Collaborator

ibihim commented Jun 5, 2024
edited

Should be fixed. If not, please reopen. #298

@ibihim ibihim closed this as completed Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ibihim @nirav-radia-sp @changluyi