[Bug][CVE] CVE-2024-3094 — vulnerable xz version in dependency tree
lonelyelk opened this issue · comments
Kubecost Helm Chart Version
v2.2.0
Kubernetes Version
all
Kubernetes Platform
EKS
Description
In release v2.2.0 the image of kubecost-modeling was bumped to v0.1.5, which has dependency on xz v5.6.1. According to CVE-2024-3094 all versions starting v5.6.0 are vulnerable.
Steps to reproduce
Just check the version: docker run --rm --entrypoint xz public.ecr.aws/kubecost/kubecost-modeling:v0.1.5 --version
. It outputs:
xz (XZ Utils) 5.6.1
liblzma 5.6.1
Expected behavior
At this moment — downgrading to xz v5.4.6
Impact
NIST lists it as critical, but the actual exploitability was not checked. It all depends on whether sshd is linked to liblzma and whether there is an sshd and so on. And I was not able to check that for the image. The main impact is for all the security tools that check dependency tree. They will always have an alert on this version.
Screenshots
No response
Logs
No response
Slack discussion
No response
Troubleshooting
- I have read and followed the issue guidelines and this is a bug impacting only the Helm chart.
- I have searched other issues in this repository and mine is not recorded.
@lonelyelk Thank you for submitting this. I'm looking in to this today and will get a response and update asap.
@lonelyelk gcr.io/kubecost-modeling:v0.1.6 is updated with the latest base image that resolves this. Helm is updated and those pr are linked. I have this in patch rcs, 2.1.2-rc.3 and 2.2.1-rc.1 are both available with this fix. We should release the full releases early next week.
Thank you again for reporting this.