Review Traefik chart because of CVE-2024-45410

[alvsanand]

It has been disclosed recently a critical vulnerability and k3s must ensure to use a patched version (>= 2.11.9 and 3.1.3). The vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2024-45410

[brandond]

We'll bump the image for next months releases. In the mean time you can change the tag deployed by the chart by customizing the chart as described here: https://docs.k3s.io/helm#customizing-packaged-components-with-helmchartconfig

[mossroy]

Just adding a note that version 2.11.9 of Treafik (first patched one) is not available in the default registry used by k3s (see https://hub.docker.com/r/rancher/mirrored-library-traefik/tags), but 2.11.10 is there.

So I simply applied this with kubectl:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    # TODO Temporary workaround for https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv (CVE-2024-45410)
    image:
      name: traefik
      tag: 2.11.10

And it seems to work fine on my v1.30.4+k3s1 cluster

[mossroy]

The title of this discussion should be fixed: the CVE name is CVE-2024-45410 instead of CVE-2025-45410: we're not "back to the future" ;-)

[dereknola]

Closing as traefik has now been bumped to 2.11.10 in the October 2024 set of releases