Image openebs/zfs-driver tag 2.8.0 is affected by CVE-2024-24790

[borbediana]

What steps did you take and what happened:
Trivy vulnerability scan reports following CRITICAL vulnerability: CVE-2024-24790

• https://avd.aquasec.com/nvd/2024/cve-2024-24790
• https://www.cve.org/CVERecord?id=CVE-2024-24790

Environment: (affected artifact)

• "digest": "sha256:e2284cf97d0c47e79267731bdf9e71f0ca1ae529a6a541f222b66e5d5b794edd"
• "repository": "openebs/zfs-driver"
• "tag": "2.8.0"

[Abhinandan-Purkait]

Hi @borbediana, thanks for reporting this, as I can see the affected versions point to Golang 1.22.4 and before. As a part of 2.9.0 we have bumped up the Golang to 1.24, so hopefully this should be covered? Please let me know if there is anything more that you anticipate.

[Abhinandan-Purkait]

Update: Ran trivy against the upcoming release candidate.

➜  zfs-localpv git:(release/2.9) trivy image docker.io/openebs/zfs-driver:2.9.0-prerelease
2025-11-17T08:40:52Z    INFO    [vuln] Vulnerability scanning is enabled
2025-11-17T08:40:52Z    INFO    [secret] Secret scanning is enabled
2025-11-17T08:40:52Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-11-17T08:40:52Z    INFO    [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-11-17T08:40:52Z    INFO    Detected OS     family="ubuntu" version="18.04"
2025-11-17T08:40:52Z    INFO    [ubuntu] Detecting vulnerabilities...   os_version="18.04" pkg_num=108
2025-11-17T08:40:52Z    INFO    Number of language-specific files       num=1
2025-11-17T08:40:52Z    INFO    [gobinary] Detecting vulnerabilities...
2025-11-17T08:40:52Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.67/docs/scanner/vulnerability#severity-selection for details.
2025-11-17T08:40:52Z    WARN    This OS version is no longer supported by the distribution      family="ubuntu" version="18.04"
2025-11-17T08:40:52Z    WARN    The vulnerability detection may be insufficient because security updates are not provided

Report Summary

┌──────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                            Target                            │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ docker.io/openebs/zfs-driver:2.9.0-prerelease (ubuntu 18.04) │  ubuntu  │        0        │    -    │
├──────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/zfs-driver                                     │ gobinary │       10        │    -    │
└──────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/local/bin/zfs-driver (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 4, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-58183 │ HIGH     │ fixed  │ v1.24.7           │ 1.24.8, 1.25.2 │ golang: archive/tar: Unbounded allocation when parsing GNU   │
│         │                │          │        │                   │                │ sparse map                                                   │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58183                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58186 │          │        │                   │                │ Despite HTTP headers having a default limit of 1MB, the      │
│         │                │          │        │                   │                │ number of...                                                 │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58186                   │
│         ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58187 │          │        │                   │ 1.24.9, 1.25.3 │ Due to the design of the name constraint checking algorithm, │
│         │                │          │        │                   │                │ the proce...                                                 │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58187                   │
│         ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58188 │          │        │                   │ 1.24.8, 1.25.2 │ Validating certificate chains which contain DSA public keys  │
│         │                │          │        │                   │                │ can cause ......                                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58188                   │
│         ├────────────────┼──────────┤        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-47912 │ MEDIUM   │        │                   │                │ net/url: Insufficient validation of bracketed IPv6 hostnames │
│         │                │          │        │                   │                │ in net/url                                                   │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-47912                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58185 │          │        │                   │                │ encoding/asn1: Parsing DER payload can cause memory          │
│         │                │          │        │                   │                │ exhaustion in encoding/asn1                                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58185                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-58189 │          │        │                   │                │ crypto/tls: go crypto/tls ALPN negotiation error contains    │
│         │                │          │        │                   │                │ attacker controlled information                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-58189                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61723 │          │        │                   │                │ encoding/pem: Quadratic complexity when parsing some invalid │
│         │                │          │        │                   │                │ inputs in encoding/pem                                       │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61723                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61724 │          │        │                   │                │ net/textproto: Excessive CPU consumption in                  │
│         │                │          │        │                   │                │ Reader.ReadResponse in net/textproto                         │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61724                   │
│         ├────────────────┤          │        │                   │                ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61725 │          │        │                   │                │ net/mail: Excessive CPU consumption in ParseAddress in       │
│         │                │          │        │                   │                │ net/mail                                                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-61725                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

I do see there are still a HIGH Vulnerability, we should be able to tackle that in the upcoming 2.9.1 patch, but the CRITICAL one would be resolved as a part of v2.9.0. Thanks!

[borbediana]

Scan after update looks better.
Thank you.

[Abhinandan-Purkait]

@borbediana v2.9.0 is out now, and the critical vulnerability is fixed now. I will keep this open to track the patch, but either way you can give 2.9.0 a shot.