Vulnerabilites identified by security scanning solution
dvanadrichem-evs opened this issue · comments
The following items came up in our scan report against image mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.8.1(sha256:c11ad8d2fa1fb3cf67fea195c6c2569ee615ac3f6000e05e8fa0f8975379e9c4):
| Package | Current Version | Upgrade To | Vulnerabilities Fixed |
|---|---|---|---|
| stdlib | go1.23.6 | 1.23.8 | CVE-2025-22871 (Critical) |
| glibc | 2.35 | 0:2.35-7.cm2 | CVE-2022-23219 (Critical), CVE-2022-23218 (Critical), CVE-2024-33602 (High), CVE-2024-33601 (High), CVE-2024-33599 (High), CVE-2023-5156 (High), CVE-2023-4911 (High), CVE-2021-43396 (High), CVE-2021-3998 (High), CVE-2021-38604 (High), CVE-2024-33600 (Medium), CVE-2023-4806 (Medium) |
| openssl | 1.1.1k | 0:1.1.1k-31.cm2 | CVE-2022-2068 (Critical), CVE-2022-1292 (Critical), CVE-2021-3711 (Critical), CVE-2024-4741 (High), CVE-2023-0286 (High), CVE-2022-0778 (High), CVE-2021-3712 (High), CVE-2023-3817 (Medium), CVE-2023-3446 (Medium), CVE-2023-2650 (Medium), CVE-2023-0466 (Medium), CVE-2023-0465 (Medium), CVE-2022-2097 (Medium), CVE-2021-4160 (Medium) |
While I am sure you are aware of these, I did not see any issues mentioning them so I figured I'd create one.
Please upgrade the controller to v1.9.1: https://github.com/Azure/application-gateway-kubernetes-ingress/releases/tag/1.9.1
We are using this through the AGIC add-on, and the deployment has label kubernetes.azure.com/managedby: aks. Am I correct in my understanding that this means it will be automatically updated to 1.9.1?
Cluster automatic updates via schedule are also enabled.
Add-on has a separate release process that is a bit slower. I would estimate it to be available in June.