Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump helm charts sidecars versions to resolve CVEs #1365

Open
yash-acquia opened this issue Jun 6, 2024 · 3 comments · May be fixed by #1373
Open

Bump helm charts sidecars versions to resolve CVEs #1365

yash-acquia opened this issue Jun 6, 2024 · 3 comments · May be fixed by #1373
Assignees
@omerap12
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@yash-acquia
Copy link

yash-acquia commented Jun 6, 2024
edited
Loading

/kind bug

What happened?
A scan detected the following CVEs:
CVE-2023-45288
CVE-2023-5528
CVE-2024-24786

What you expected to happen?
Update sidecar versions in the helm chart:

  • livenessProbe: v2.13.0
  • nodeDriverRegistrar : v2.11.0
  • csiProvisioner: v5.0.1

updating above sidecars will fix CVE-2023-45288 and CVE-2024-24786

Vulnerability_id Package Name Vulnerable Version Fixed Version Type
CVE-2023-45288 golang.org/x/net v0.18.0 v0.23.0 gobinary
CVE-2024-24786 google.golang.org/protobuf v1.31.0 1.33.0 gobinary

and update the k8s.io/kubernetes version as well.

Vulnerability_id Package Name Vulnerable Version Fixed Version Type Severity
CVE-2023-5528 k8s.io/kubernetes v1.26.10 1.28.4, 1.27.8, 1.26.11, 1.25.16 gobinary HIGH

Environment

  • Driver version: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.3
  • Kubernetes version (use kubectl version): v1.28.9-eks
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 6, 2024
@omerap12
Copy link

omerap12 commented Jun 9, 2024

Ill take this.
/assign

@omerap12 omerap12 linked a pull request Jun 11, 2024 that will close this issue
Open
@mskanth972
Copy link
Contributor

Updated the above PR with latest information and ECD June 19 was given to merge it.
#1373 (comment)

@yash-acquia
Copy link
Author

Hey, just a reminder, there is CVE-2023-5528: k8s.io/kubernetes, which is a high-severity vulnerability. Please try to fix that as well; otherwise, the scan will fail. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@omerap12 omerap12

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump sidecar versions to fix CVE-2023-45288 and CVE-2024-24786 omerap12/aws-efs-csi-driver
4 participants
@k8s-ci-robot @omerap12 @mskanth972 @yash-acquia