Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-44487, CVE-2023-39325 and CVE-2023-3978 #44

Merged
merged 1 commit into from
Oct 24, 2023
Merged

Fix CVE-2023-44487, CVE-2023-39325 and CVE-2023-3978 #44

merged 1 commit into from
Oct 24, 2023

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Oct 24, 2023
edited
Loading

  • I ran trivy on the existing repo and observed the CVE vulnerability
  • Ran go get golang.org/x/[email protected] && go mod tidy && go vet ./...

Before

$ trivy repository .
2023-10-24T09:46:09.142+0100    INFO    Vulnerability scanning is enabled
2023-10-24T09:46:09.142+0100    INFO    Secret scanning is enabled
2023-10-24T09:46:09.142+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-24T09:46:09.142+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-24T09:46:10.756+0100    INFO    Number of language-specific files: 1
2023-10-24T09:46:10.756+0100    INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ MEDIUM   │ fixed  │ 0.10.0            │ 0.17.0        │ rapid stream resets can cause excessive work                 │
│                  │                │          │        │                   │               │ (CVE-2023-44487)                                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                  ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-3978  │          │        │                   │ 0.13.0        │ Cross site scripting                                         │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                  ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-44487 │          │        │                   │ 0.17.0        │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                  │                │          │        │                   │               │ attack (Rapid...                                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
...

After

$ trivy repository .
2023-10-24T09:47:03.422+0100    INFO    Vulnerability scanning is enabled
2023-10-24T09:47:03.422+0100    INFO    Secret scanning is enabled
2023-10-24T09:47:03.422+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-24T09:47:03.422+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-24T09:47:05.117+0100    INFO    Number of language-specific files: 1
2023-10-24T09:47:05.117+0100    INFO    Detecting gomod vulnerabilities...

@wallrj
go get golang.org/x/[email protected]
080c1c9 
go mod tidy

Signed-off-by: Richard Wall <[email protected]>
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 24, 2023
@wallrj wallrj requested a review from maelvls October 24, 2023 11:04
@maelvls
Copy link
Member

maelvls commented Oct 24, 2023

I can see that the images are built with the Go version 1.20, so that's good.

/lgtm
/approve

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 24, 2023
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2023
@jetstack-bot jetstack-bot merged commit a15c162 into cert-manager:main Oct 24, 2023
4 checks passed
@wallrj wallrj deleted the cve-fixes branch October 24, 2023 11:08
@wallrj
Copy link
Member Author

wallrj commented Oct 24, 2023

Verified that the image can be built and that cert-manager tests still pass:

@wallrj wallrj mentioned this pull request Oct 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls Awaiting requested review from maelvls

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wallrj @maelvls @jetstack-bot