[Bug][CVE] CVE-2024-3094 — vulnerable xz version in dependency tree

Question

[Bug][CVE] CVE-2024-3094 — vulnerable xz version in dependency tree

lonelyelk opened this issue 2 months ago · comments

Sergey Kruk commented 2 months ago

Kubecost Helm Chart Version

v2.2.0

Kubernetes Version

all

Kubernetes Platform

EKS

Description

In release v2.2.0 the image of kubecost-modeling was bumped to v0.1.5, which has dependency on xz v5.6.1. According to CVE-2024-3094 all versions starting v5.6.0 are vulnerable.

Steps to reproduce

Just check the version: docker run --rm --entrypoint xz public.ecr.aws/kubecost/kubecost-modeling:v0.1.5 --version. It outputs:

xz (XZ Utils) 5.6.1
liblzma 5.6.1

Expected behavior

At this moment — downgrading to xz v5.4.6

Impact

NIST lists it as critical, but the actual exploitability was not checked. It all depends on whether sshd is linked to liblzma and whether there is an sshd and so on. And I was not able to check that for the image. The main impact is for all the security tools that check dependency tree. They will always have an alert on this version.

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting

I have read and followed the issue guidelines and this is a bug impacting only the Helm chart.
I have searched other issues in this repository and mine is not recorded.

Cliff Colvin · Answer 1 · Fri Apr 05 2024 23:57:55 GMT+0800 (China Standard Time)

@lonelyelk Thank you for submitting this. I'm looking in to this today and will get a response and update asap.

Cliff Colvin · Answer 2 · Sat Apr 06 2024 09:24:34 GMT+0800 (China Standard Time)

@lonelyelk gcr.io/kubecost-modeling:v0.1.6 is updated with the latest base image that resolves this. Helm is updated and those pr are linked. I have this in patch rcs, 2.1.2-rc.3 and 2.2.1-rc.1 are both available with this fix. We should release the full releases early next week.

Thank you again for reporting this.