CVE-2024-4603, CVE-2024-4741 in `registry.k8s.io/build-image/distroless-iptables:v0.6.2`

[aramase]

What happened:

CVE in registry.k8s.io/build-image/distroless-iptables:v0.6.2 image

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.6.2       
2024-09-02T23:44:36.552-0700    INFO    Need to update DB
2024-09-02T23:44:36.553-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-09-02T23:44:36.553-0700    INFO    Downloading DB...
52.71 MiB / 52.71 MiB [-----------------------------------------------------------------------------------------------------] 100.00% 20.13 MiB p/s 2.8s
2024-09-02T23:44:40.496-0700    INFO    Vulnerability scanning is enabled
2024-09-02T23:44:40.496-0700    INFO    Secret scanning is enabled
2024-09-02T23:44:40.496-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-02T23:44:40.496-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-09-02T23:44:48.201-0700    INFO    Detected OS: debian
2024-09-02T23:44:48.201-0700    INFO    Detecting Debian vulnerabilities...
2024-09-02T23:44:48.209-0700    INFO    Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.6.2 (debian 12.6)

Total: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                        Title                        │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-4603 │ MEDIUM   │ fixed  │ 3.0.13-1~deb12u1  │ 3.0.14-1~deb12u1 │ openssl: Excessive time spent checking DSA keys and │
│         │               │          │        │                   │                  │ parameters                                          │
│         │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-4603           │
│         ├───────────────┤          │        │                   │                  ├─────────────────────────────────────────────────────┤
│         │ CVE-2024-4741 │          │        │                   │                  │ openssl: Use After Free with SSL_free_buffers       │
│         │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-4741           │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────┘

What you expected to happen:

New distroless-iptables images with CVEs resolved.

[cpanato]

I will rebuild that in the next cycle

/assign

[jwtty]

Looks like go-runner also needs update:

go-runner (gobinary)
====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-[34](https://github.com/Azure/kube-egress-gateway/actions/runs/10803240810/job/29966762466?pr=718#step:9:35)156 │ HIGH     │ fixed  │ 1.23.0           │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

[BenTheElder]

We don't actually use OpenSSL? Or we shouldn't be (should be go stdlib crypto)

[BenTheElder]

We can probably drop this from the image. I can't think why we even have it.

Something to investigate for sure ...

[haitch]

registry.k8s.io/build-image/distroless-iptables:v0.6.3 is fine, but we are stopping effort on go1.22.7/1.23.1 , and moving to go1.22.8/1.23.2, so v0.6.4 should be available soon.

trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/build-image/distroless-iptables:v0.6.3
2024-10-15T09:09:13.611-0700	INFO	Need to update DB
2024-10-15T09:09:13.611-0700	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-10-15T09:09:13.611-0700	INFO	Downloading DB...
54.29 MiB / 54.29 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 36.30 MiB p/s 1.7s
2024-10-15T09:09:15.770-0700	INFO	Vulnerability scanning is enabled
2024-10-15T09:09:15.770-0700	INFO	Secret scanning is enabled
2024-10-15T09:09:15.770-0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T09:09:15.770-0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2024-10-15T09:09:16.124-0700	INFO	Detected OS: debian
2024-10-15T09:09:16.124-0700	INFO	Detecting Debian vulnerabilities...
2024-10-15T09:09:16.125-0700	INFO	Number of language-specific files: 0

registry.k8s.io/build-image/distroless-iptables:v0.6.3 (debian 12.7)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten