Malicious docker layer in updated docker image for deployment manifest for kind

[v-ware]

We are unable to pull the latest docker images in the deployment manifest for kind due to the presence of a malicious docker layer.

we use this link to access the manifest

https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml

Virustotal scan of the malicious docker layer

https://www.virustotal.com/gui/file/e01108844c75b2e32f1da70532071698d23baae10b8978be6246bbd34e705e27/detection

this started to happen with the recent changes in the images last week

b6fa279#diff-04e9b7595b4502c5c2ac7e44a853ecfbdbeb5c5b73ec18895bea00204a21eede

Can this be checked as we are blocked with the kubernetes deployment of our application?

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[longwuyuan]

/remove-kind bug
/kind support

Since the number of scanners out there is too many and the real practical high-priority actionable vulnerabilities are presented closer to the exposure in the data path , the project relies on tools like grype and a maybe couple of others for actionable feedback. For example please look at this

% grype registry.k8s.io/ingress-nginx/controller:v1.11.0@sha256:a886e56d532d1388c77c8340261149d974370edca1093af4c97a96fb1467cb39
 ✔ Vulnerability DB                [updated]  
 ✔ Pulled image                    
 ✔ Loaded image                                                   registry.k8s.io/ingress-ng
 ✔ Parsed image                    sha256:bcb840ba02d3eb300b1c13876604e4286794e5873eacbb86  
 ✔ Cataloged contents              b4ae832d14f2ee33eeb89992fa5af7492bfd74e797e94d1b59fb70b  
   ├── ✔ Packages                        [210 packages]  
   ├── ✔ File digests                    [783 files]  
   ├── ✔ File metadata                   [783 locations]  
   └── ✔ Executables                     [214 executables]  
 ✔ Scanned for vulnerabilities     [7 vulnerability matches]  
   ├── by severity: 0 critical, 3 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 7 not-fixed, 0 ignored 
NAME    INSTALLED  FIXED-IN  TYPE       VULNERABILITY   SEVERITY 
nginx   1.25.5               binary     CVE-2024-35200  Medium    
nginx   1.25.5               binary     CVE-2024-34161  Medium    
nginx   1.25.5               binary     CVE-2024-32760  Medium    
nginx   1.25.5               binary     CVE-2024-31079  Medium    
stdlib  go1.22.4             go-module  CVE-2024-24791  High

The issue description is referring to a layer of the image and that is not actionable.

Also there are false-positives involved in the scanning process.

[zeeZ]

The scanners are triggered by files in /etc/nginx/owasp-modsecurity-crs/tests/regression/tests/.

It looks like those test files were previously excluded. Maybe their path changed during a module upgrade?

ingress-nginx/images/nginx-1.25/rootfs/build.sh

Line 625 in 125ffd4

rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests

ingress-nginx/images/nginx/rootfs/build.sh

Line 738 in 125ffd4

rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests

[longwuyuan]

Post a CVE link

[strongjz]

We did upgrade the nginx build to 1.25.5 and #11511

[zeeZ]

@v-ware the offending files should be gone now with 1.10.3/1.11.1

[v-ware]

@zeeZ yes, we are able to install 1.11.1 without any issue now. Thanks for your help.