Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BACKPORT][v1.7.2][TASK] Update CSI components to address CVE issues #9563

Closed
github-actions bot opened this issue Oct 2, 2024 · 6 comments
Closed

[BACKPORT][v1.7.2][TASK] Update CSI components to address CVE issues #9563

github-actions bot opened this issue Oct 2, 2024 · 6 comments
Assignees
@derekbit @c3y1huang @chriscchien
Labels
area/csi CSI related like control/node driver, sidecars area/security System or volume data access security kind/backport Backport request kind/task General task request to fulfill another primary request priority/0 Must be implement or fixed in this release (managed by PO)
Milestone
v1.7.2

Comments

@github-actions
Copy link

github-actions bot commented Oct 2, 2024

backport #9561
@github-actions github-actions bot added area/csi CSI related like control/node driver, sidecars area/security System or volume data access security kind/backport Backport request kind/task General task request to fulfill another primary request labels Oct 2, 2024
@github-actions github-actions bot added this to the v1.7.2 milestone Oct 2, 2024
@github-project-automation github-project-automation bot moved this to New Issues in Longhorn Sprint Oct 2, 2024
@c3y1huang c3y1huang moved this from New Issues to Analysis and Design in Longhorn Sprint Oct 3, 2024
@c3y1huang
Copy link
Contributor

c3y1huang commented Oct 3, 2024
edited
Loading

Action Plan

Fix

  • longhornio/csi-attacher: Update to v4.7.0.
  • longhornio/csi-resizer: Update to v1.12.0.

Won't Fix

  • longhornio/csi-snapshotter: Currently at the latest released minor version. Will not update to the major version due to potential breaking changes. Ref: https://kubernetes-csi.github.io/docs/project-policies.html#versioning
    • Cannot update longhornio/csi-snapshotter to a fixed major version without dropping support for the current minimum Kubernetes version (from 1.21 to 1.25).
  • longhornio/csi-provisioner: Currently at the latest released minor version. Will not update to the major version due to potential breaking changes. Ref: https://kubernetes-csi.github.io/docs/project-policies.html#versioning
  • longhornio/csi-node-driver-registrar: Won't fix. Currently at the latest released version.
  • longhornio/livenessprobe: Won't fix. Currently at the latest released version.

@c3y1huang c3y1huang moved this from Analysis and Design to Implement in Longhorn Sprint Oct 3, 2024
This was referenced Oct 3, 2024
Merged
Closed
@c3y1huang c3y1huang changed the title [BACKPORT][v1.7.2][TASK] Update CSI components to address CVE issues [BACKPORT][v1.7.2][TASK] Update CSI components Oct 4, 2024
@c3y1huang c3y1huang changed the title [BACKPORT][v1.7.2][TASK] Update CSI components [BACKPORT][v1.7.2][TASK] Update CSI components to address CVE issues Oct 4, 2024
@c3y1huang c3y1huang moved this from Implement to Review in Longhorn Sprint Oct 4, 2024
@longhorn-io-github-bot
Copy link

longhorn-io-github-bot commented Oct 4, 2024
edited by c3y1huang
Loading

Pre Ready-For-Testing Checklist

  • Where is the reproduce steps/test steps documented?
    The reproduce steps/test steps are at:

  • Is there a workaround for the issue? If so, where is it documented?
    The workaround is at:

  • Does the PR include the explanation for the fix or the feature?

  • Does the PR include deployment change (YAML/Chart)? If so, where are the PRs for both YAML file and Chart?
    The PR for the YAML/chart change is at: fix(cve): csi components #9566

  • Have the backend code been merged (Manager, Engine, Instance Manager, BackupStore etc) (including backport-needed/*)?
    The PR is at

  • Which areas/issues this PR might have potential impacts on?
    Area CSI, CVE
    Issues

  • If labeled: require/LEP Has the Longhorn Enhancement Proposal PR submitted?
    The LEP PR is at

  • If labeled: area/ui Has the UI issue filed or ready to be merged (including backport-needed/*)?
    The UI issue/PR is at

  • If labeled: require/doc Has the necessary document PR submitted or merged (including backport-needed/*)?
    The documentation issue/PR is at

  • If labeled: require/automation-e2e Has the end-to-end test plan been merged? Have QAs agreed on the automation test case? If only test case skeleton w/o implementation, have you created an implementation issue (including backport-needed/*)
    The automation skeleton PR is at
    The automation test case PR is at
    The issue of automation test case implementation is at (please create by the template)

  • If labeled: require/automation-engine Has the engine integration test been merged (including backport-needed/*)?
    The engine automation PR is at

  • If labeled: require/manual-test-plan Has the manual test plan been documented?
    The updated manual test plan is at

  • If the fix introduces the code for backward compatibility Has a separate issue been filed with the label release/obsolete-compatibility?
    The compatibility issue is filed at

@innobead innobead assigned derekbit and unassigned c3y1huang Oct 7, 2024
@innobead innobead added the priority/0 Must be implement or fixed in this release (managed by PO) label Oct 7, 2024
This was referenced Oct 7, 2024
Merged
Merged
Merged
Merged
Merged
Merged
@derekbit
Copy link
Member

derekbit commented Oct 7, 2024 

╰─$ trivy image longhornio/csi-attacher:v4.6.1-20241007                                                                                                                                                                    1 ↵
2024-10-07T20:02:40+08:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-07T20:02:40+08:00       INFO    [secret] Secret scanning is enabled
2024-10-07T20:02:40+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-07T20:02:40+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-07T20:02:45+08:00       INFO    Detected OS     family="debian" version="12.7"
2024-10-07T20:02:45+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=3
2024-10-07T20:02:45+08:00       INFO    Number of language-specific files       num=1
2024-10-07T20:02:45+08:00       INFO    [gobinary] Detecting vulnerabilities...

longhornio/csi-attacher:v4.6.1-20241007 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


csi-attacher (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-xr7q-jx4m-x55m │ LOW      │ fixed  │ v1.64.0           │ 1.64.1        │ Private tokens could appear in logs if context containing │
│                        │                     │          │        │                   │               │ gRPC metadata is...                                       │
│                        │                     │          │        │                   │               │ https://github.com/advisories/GHSA-xr7q-jx4m-x55m         │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
╭─dereksu@DerekdeMacBook-Air ~/go/src/github.com/longhorn 
╰─$ trivy image longhornio/csi-provisioner:v4.0.1-20241007                                       
2024-10-07T20:02:49+08:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-07T20:02:49+08:00       INFO    [secret] Secret scanning is enabled
2024-10-07T20:02:49+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-07T20:02:49+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-07T20:02:54+08:00       INFO    Detected OS     family="debian" version="12.7"
2024-10-07T20:02:54+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=3
2024-10-07T20:02:54+08:00       INFO    Number of language-specific files       num=1
2024-10-07T20:02:54+08:00       INFO    [gobinary] Detecting vulnerabilities...
2024-10-07T20:02:54+08:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

longhornio/csi-provisioner:v4.0.1-20241007 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


csi-provisioner (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.19.0           │ 0.23.0         │ golang: net/http, x/net/http2: unlimited number of          │
│                  │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │ HIGH     │        │ 1.21.13           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                  │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│                  ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│                  │                │          │        │                   │                │ containing deeply nested literals...                        │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│                  ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│                  │                │          │        │                   │                │ build tag line with...                                      │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
╭─dereksu@DerekdeMacBook-Air ~/go/src/github.com/longhorn 
╰─$ trivy image longhornio/csi-resizer:v1.11.2-20241007                                          
2024-10-07T20:02:57+08:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-07T20:02:57+08:00       INFO    [secret] Secret scanning is enabled
2024-10-07T20:02:57+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-07T20:02:57+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-07T20:02:59+08:00       INFO    Detected OS     family="debian" version="12.7"
2024-10-07T20:02:59+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=3
2024-10-07T20:02:59+08:00       INFO    Number of language-specific files       num=1
2024-10-07T20:02:59+08:00       INFO    [gobinary] Detecting vulnerabilities...

longhornio/csi-resizer:v1.11.2-20241007 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

╭─dereksu@DerekdeMacBook-Air ~/go/src/github.com/longhorn 
╰─$ trivy image longhornio/csi-snapshotter:v7.0.2-20241007                                       
2024-10-07T20:03:04+08:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-07T20:03:04+08:00       INFO    [secret] Secret scanning is enabled
2024-10-07T20:03:04+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-07T20:03:04+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-07T20:03:06+08:00       INFO    Detected OS     family="debian" version="12.7"
2024-10-07T20:03:06+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=3
2024-10-07T20:03:06+08:00       INFO    Number of language-specific files       num=1
2024-10-07T20:03:06+08:00       INFO    [gobinary] Detecting vulnerabilities...
2024-10-07T20:03:06+08:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

longhornio/csi-snapshotter:v7.0.2-20241007 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


csi-snapshotter (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.20.0           │ 0.23.0         │ golang: net/http, x/net/http2: unlimited number of          │
│                  │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-34156 │ HIGH     │        │ 1.21.13           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│                  │                │          │        │                   │                │ which contains deeply nested structures...                  │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│                  ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│                  │                │          │        │                   │                │ containing deeply nested literals...                        │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│                  ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│                  │                │          │        │                   │                │ build tag line with...                                      │
│                  │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

@derekbit derekbit mentioned this issue Oct 7, 2024
Merged
@derekbit
Copy link
Member

derekbit commented Oct 7, 2024

Added the CSI repos into VEX scanning
https://github.com/rancher/image-scanning/pull/462

cc @c3y1huang

@derekbit derekbit moved this from Review to Ready For Testing in Longhorn Sprint Oct 7, 2024
@derekbit
Copy link
Member

derekbit commented Oct 7, 2024
edited
Loading

Pre Ready-For-Testing Checklist

  • Where is the reproduce steps/test steps documented?
    The reproduce steps/test steps are at:

  • Is there a workaround for the issue? If so, where is it documented?
    The workaround is at:

  • Does the PR include the explanation for the fix or the feature?

  • Does the PR include deployment change (YAML/Chart)? If so, where are the PRs for both YAML file and Chart?
    The PR for the YAML/chart change is at: fix(cve): update CSI images for fixing CVE-2024-24790 #9587

  • Have the backend code been merged (Manager, Engine, Instance Manager, BackupStore etc) (including backport-needed/*)?
    The PR is at

  • Which areas/issues this PR might have potential impacts on?
    Area CSI, CVE
    Issues

@chriscchien
Copy link
Contributor

Close this ticket as v1.7.x daily run does not have outstanding issue found (build86 - 0 failure), in addition, security scan have 1 critial found.

@github-project-automation github-project-automation bot moved this from Testing to Closed in Longhorn Sprint Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derekbit derekbit

@c3y1huang c3y1huang

@chriscchien chriscchien

Labels
area/csi CSI related like control/node driver, sidecars area/security System or volume data access security kind/backport Backport request kind/task General task request to fulfill another primary request priority/0 Must be implement or fixed in this release (managed by PO)
Projects
Longhorn Sprint
Status: Closed
Milestone
v1.7.2
Development

No branches or pull requests
5 participants
@innobead @derekbit @c3y1huang @longhorn-io-github-bot @chriscchien