Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress-NGINX controller v1.3.0 images: getting flagged as critical vulnerable images #9004

Closed
sooryaveeravalli opened this issue Sep 1, 2022 · 6 comments
Closed

Ingress-NGINX controller v1.3.0 images: getting flagged as critical vulnerable images #9004

sooryaveeravalli opened this issue Sep 1, 2022 · 6 comments
Assignees
@strongjz @rikatz
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@sooryaveeravalli
Copy link

What scanner and version reported the CVE?
Vulnerability Scanning and Analytics / SHA Intel team reported this on our s360 dashboard under vulnerability management.

What CVE was reported in the scanner findings?
image
We got tagged for vulnerability names 'Alpine Linux Security Update for libxml2' and 'Alpine Linux Security Update for zlib' , please check the attached image for more details.

What versions of the controller did you test with?
We are already using the latest v1.3.0 Ingress-NGINX controller version.

Please provider other details that will help us determine the severity of the issue
Our services are getting marked as 'red' in SHA for vulnerability management, so please let us know when will a new version be released, so that we can communicate with the KPI owners to exclude us until then.
@sooryaveeravalli sooryaveeravalli added the kind/bug Categorizes issue or PR as related to a bug. label Sep 1, 2022
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 1, 2022
@k8s-ci-robot
Copy link
Contributor

@sooryaveeravalli: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@longwuyuan
Copy link
Contributor

Fix for those CVE has merged.
Release with fixes/patches for the mentioned CVEs is expected to be GA by 4th ot 5th of September, 2022

@tshaiman
Copy link

tshaiman commented Sep 5, 2022

tag in the new Helm chart (4.2.4 ) is still
tag: "v1.3.0"

@longwuyuan
Copy link
Contributor

Its being fixed in #9023
The image and its sha is visible in the static manifests though. Under the deploy directory. Please check against that and close this issue or update fresh results. Thank a lot for reporting this.

@strongjz
Copy link
Member

strongjz commented Sep 6, 2022

These CVE are resolved in the 1.3.1 release.

/close

@k8s-ci-robot
Copy link
Contributor

@strongjz: Closing this issue.

In response to this:

These CVE are resolved in the 1.3.1 release.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strongjz strongjz

@rikatz rikatz

Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tshaiman @strongjz @longwuyuan @rikatz @k8s-ci-robot @sooryaveeravalli