CVE-2024-22189 HIGH vulnerability wiz-kubernetes-integration@v0.1.100 helm chart

[BurakCetin3129]

When I install wiz-kubernetes-integration@v0.1.100 helm chart, wiz-kubernetes-connector has CVE-2024-22189 HIGH vulnerability finding.

Can you please fix it?

[ofirc-wiz]

Hi @BurakCetin3129, thanks for the post, Ofir from the Kubernetes team in Wiz.
How did you scan it?
Is it possible that you are using old images / old Helm Charts?
Please share a reproducer and we will look into that.

Thanks.

[BurakCetin3129]

Hi @ofirc-wiz

It's a Wiz finding :)
I installed wiz-kubernetes-integration helm chart version: 0.1.100 and then Wiz image vulnerability scan found CVE-2024-22189 HIGH vulnerability on wiz-kubernetes-connector

[BurakCetin3129]

I think wiz-kubernetes-integration helm chart version: 0.1.100 is the latest one. I'm using this unified helm chart to install all kubernetes deployments.

[BurakCetin3129]

I installed wiz-kubernetes-integration helm chart version: 0.1.106 but it still has the vulnerability. Is there any plan to mitigate it @ofirc-wiz ?

[bluPhy]

@BurakCetin3129 CVE-2024-22189 is coming from registry.k8s.io/coredns/coredns:v1.11.1 which at this time is the latest release version, this is fixed in coredns:v1.11.3 as per CVE-2024-22189 - Memory Exhaustion Attack using library github.com/quic-go/quic-go #6597 , but as is not fully released then we don't have an image yet (2024-June-08). More info here