V1.13.x CVE 2023 45288 #9452

sheidkamp · 2024-05-06T20:52:05Z

Description

Updated CloudBuilder version form 0.7.1 to 0.7.6. This version is already in use in the EE 1.13 branch, added here

This PR does not address the CVEs found on the kubectl image, as images with the fix are not available:

CVE-2023-39325 - HTTP/2 vulnerability, and kubectl is only used for jobs
CVE-2023-45283 - Windows filepath issue
CVE-2023-45288 - HTTP/2 vulnerability, and kubectl is only used for jobs

These CVEs have been added to the .trivyignore file, along with CVE-2024-26147, which is being ignored in later versions but had not yet surfaced in this one. This approach was discussed here.

CVE-2023-45288 is addressed on non-kubectl images

Currently this PR does not fix CVE-2023-45288 as there are no compatible bitnami/kubectl images available that contain updates which address this CVE.

Context

Addressing a CVE

Testing steps

Existing versions:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.36"; done

Results:

2024-05-08T12:07:56-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:07:56-04:00	INFO	Secret scanning is enabled
2024-05-08T12:07:56-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:07:56-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:07:57-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:07:57-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:07:57-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:07:57-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.36 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:07:57-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:07:57-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:07:57-04:00	INFO	Secret scanning is enabled
2024-05-08T12:07:57-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:07:57-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:07:58-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:07:58-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:07:58-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:07:58-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.36 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/envoyinit (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:07:58-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:07:58-04:00	INFO	Secret scanning is enabled
2024-05-08T12:07:58-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:07:58-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:07:59-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:07:59-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:07:59-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:07:59-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:07:59-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:07:59-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:07:59-04:00	INFO	Secret scanning is enabled
2024-05-08T12:07:59-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:07:59-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:08:00-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:08:00-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:08:00-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:08:00-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:08:00-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:08:00-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:08:00-04:00	INFO	Secret scanning is enabled
2024-05-08T12:08:00-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:08:00-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:08:01-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:08:01-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:08:01-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:08:01-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:08:01-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:08:01-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:08:01-04:00	INFO	Secret scanning is enabled
2024-05-08T12:08:01-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:08:01-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:08:02-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:08:02-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:08:02-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:08:02-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/certgen (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:08:03-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:08:03-04:00	INFO	Secret scanning is enabled
2024-05-08T12:08:03-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:08:03-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection


2024-05-08T12:08:25-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:08:25-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:08:25-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:08:25-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/access-logger (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:08:25-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:08:25-04:00	INFO	Secret scanning is enabled
2024-05-08T12:08:25-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:08:25-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:08:25-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:08:25-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:08:25-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:08:25-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.36 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/kubectl (gobinary)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-39325 │ HIGH     │ fixed  │ 1.20.6            │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

New versions (local)

VERSION=1.13.36-cve make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.36-cve"; done

Results of scan

2024-05-08T12:09:38-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:38-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:38-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:38-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:39-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:09:39-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:09:39-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:39-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.36-9452 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:39-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:39-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:39-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:39-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:39-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:40-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:09:40-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:09:40-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:40-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.36-9452 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:40-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:40-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:40-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:40-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:41-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:41-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:41-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:41-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:41-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:41-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:41-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:41-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:41-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:42-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:42-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:42-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:42-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:42-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:43-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:43-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:43-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:43-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:43-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:43-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:43-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:43-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:43-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:44-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:44-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:44-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:44-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:44-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:44-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:44-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:44-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:45-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:45-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:45-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:45-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:45-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:45-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:45-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:45-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:46-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:46-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:46-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:46-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:47-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:47-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:47-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:47-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

Scan images built for this PR

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.36-9452"; done

Results of scan

2024-05-08T12:09:38-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:38-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:38-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:38-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:39-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:09:39-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:09:39-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:39-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.36-9452 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:39-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:39-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:39-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:39-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:39-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:40-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:09:40-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:09:40-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:40-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.36-9452 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:40-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:40-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:40-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:40-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:41-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:41-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:41-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:41-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:41-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:41-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:41-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:41-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:41-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:42-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:42-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:42-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:42-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:42-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:43-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:43-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:43-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:43-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:43-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:43-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:43-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:43-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:43-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:44-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:44-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:44-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:44-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:44-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:44-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:44-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:44-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:45-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:45-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:45-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:45-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:45-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:45-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:09:45-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:45-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:46-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:09:46-04:00	INFO	Secret scanning is enabled
2024-05-08T12:09:46-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:09:46-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:09:47-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:09:47-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:09:47-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:09:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.36-9452 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:09:47-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

solo-changelog-bot · 2024-05-07T17:57:21Z

Issues linked to changelog:
#9443

nfuden

I dont think the trivy ignore actually does anything for our scheduled job but I dont think that should block this

Update cloudbuild.yaml

20a1246

sheidkamp added the work in progress signals bulldozer to keep pr open (don't auto-merge) label May 6, 2024

github-actions bot added the keep pr updated signals bulldozer to keep pr up to date with base branch label May 6, 2024

sheidkamp added 2 commits May 6, 2024 20:52

Update cloudbuild.yaml

929d7ae

changelog, bump

f94c965

Update cve-kubctl-update.yaml

2571c46

sheidkamp changed the title ~~Update cloudbuild.yaml~~ V1.13.x CVE 2023 45288 May 8, 2024

sheidkamp added 3 commits May 8, 2024 09:23

Update cve-kubctl-update.yaml

5901fe3

De-bump kubectl image, add to trivy ignore

f8230df

Update .trivyignore

c444db2

davidjumani approved these changes May 8, 2024

View reviewed changes

nfuden approved these changes May 9, 2024

View reviewed changes

sheidkamp removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label May 9, 2024

soloio-bulldozer bot merged commit 8eb413f into v1.13.x May 9, 2024
14 checks passed

soloio-bulldozer bot deleted the v1.13.x-CVE-2023-45288 branch May 9, 2024 15:15

sam-heilbron mentioned this pull request May 28, 2024

Security Alert: 1.13.37 #9478

Closed

sheidkamp mentioned this pull request May 28, 2024

Support per-LTS branch .trivyignore files #9532

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

V1.13.x CVE 2023 45288 #9452

V1.13.x CVE 2023 45288 #9452

sheidkamp commented May 6, 2024 •

edited

Loading

solo-changelog-bot bot commented May 7, 2024

nfuden left a comment

V1.13.x CVE 2023 45288 #9452

V1.13.x CVE 2023 45288 #9452

Conversation

sheidkamp commented May 6, 2024 • edited Loading

Description

Context

Testing steps

Existing versions:

New versions (local)

Scan images built for this PR

solo-changelog-bot bot commented May 7, 2024

nfuden left a comment

Choose a reason for hiding this comment

sheidkamp commented May 6, 2024 •

edited

Loading