Are high vulnerabilities being addressed?

[ronkara]

Hello,
This is a question however vulnerability updating per NIST standards requires them to be resolved within specific timeframes. We would like to update to version 1.11 from 1.10 however we are not seeing resolution of the CVEs listed below even though there are fixes available. Can you tell me when version 1.12 will be released and if it will fix the libcrypto and libssl vulns associated with the CVEs? I am required to publish updates to our customers on a monthly basis regarding existing vulns and if they are not remediated within expected timeframes when the last time I contacted the vendor was, etc.

CVE-2022-4450
CVE-2023-0215
CVE-2023-0286

thank you!

[ronkara]

Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs?

[mauriciopoppe]

These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod

[ronkara]

Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built.

[mauriciopoppe]

Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver.

I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42.

If you're using this in production maybe you should evaluate other solutions.

[xing-yang]

@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them.

[xing-yang]

/help wanted

[ronkara]

hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows:

libcrypto1.1 fix version 1.1.1t-r0
libssl1.1 fix version 1.1.1t-r0

The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us.

[singhc1997]

Hi @xing-yang as @ronkara mentioned the following CVEs above:
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286
They seem to be related to the openssl 3.0.7-r2 package which I am assuming comes with the alpine image. Since they are OS vulns I was thinking by pulling the latest alpine image will resolve these vulnerabilities because apk update && apk upgrade will also pull in the new packages when we rebuilt the image.

[ronkara]

/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997.

[jingxu97]

@ronkara wondering you will have some bandwidth to help fix this?