Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump version of opentelemetry-operator to remediate various Security vulnerabilities #3862

Open
lreed-mdsol opened this issue Oct 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@lreed-mdsol
Copy link

lreed-mdsol commented Oct 28, 2024

The latest release of sumologic-kubernetes-collection when using Helm charts still includes a number of CVE's is dependencies.
https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/release-v4.11/deploy/helm/sumologic/Chart.yaml

  - name: opentelemetry-operator
    version: 0.56.1

#3777 The last time opentelemetry-operator was updated.

EG.
opentelemetry-operator:v0.98.0

Scan results for: image ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:v0.98.0 sha256:fb3a9fb09141972af3213e9805fc2f19cbb437843c348324b742f37dac2d22a4
Vulnerabilities
+----------------+----------+------+--------------------------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                     PACKAGE                      | VERSION |          STATUS          | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+--------------------------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip                                        | 1.21.9  | fixed in 1.21.11, 1.22.4 | > 4 months | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                |          |      |

target-allocator:0.98.0

Scan results for: image ghcr.io/open-telemetry/opentelemetry-operator/target-allocator:0.98.0 sha256:d08d670f5d90785b0132b5d581f6647de9cf6fe1bc1229c26689ef9a60c51613
Vulnerabilities
+------------------+----------+------+--------------------------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                     PACKAGE                      | VERSION |          STATUS          | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+--------------------------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24790   | critical | 9.80 | net/netip                                        | 1.21.9  | fixed in 1.21.11, 1.22.4 | > 4 months | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                  |          |      |                                                  |         | > 4 months ago           |            |            | etc) did not work as expected for IPv4-mapped IPv6 |
|                  |          |      |                                                  |         |                          |            |            | addresses, returning false for addresses which     |
|                  |          |      |                                                  |         |                          |            |            | would...                                           |
+------------------+----------+------+--------------------------------------------------+---------+--------------------------+------------+------------+----------------------------------------------------+

quay.io/brancz/kube-rbac-proxy:v0.15.0

Scan results for: image quay.io/brancz/kube-rbac-proxy:v0.15.0 sha256:e56d15bd61cf8d5b85b5825b2c3a26c8b9459c0240e8376d9ea14c064d58693e
Vulnerabilities
+----------------+----------+------+-----------------------------------------------------------------------------+---------+---------------------------------+-------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                                   PACKAGE                                   | VERSION |             STATUS              |  PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+-----------------------------------------------------------------------------+---------+---------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip                                                                   | 1.21.3  | fixed in 1.21.11, 1.22.4        | > 4 months  | < 1 hour   | The various Is methods (IsPrivate, IsLoopback,     |
|                |          |      |                                                                             |         | > 4 months ago                  |             |            | etc) did not work as expected for IPv4-mapped IPv6 |
|                |          |      |                                                                             |         |                                 |             |            | addresses, returning false for addresses which     |
|                |          |      |                                                                             |         |                                 |             |            | would...                                           |
+----------------+----------+------+-----------------------------------------------------------------------------+---------+---------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-47108 | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.20.0 | fixed in 0.46.0                 | > 11 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                |          |      |                                                                             |         | > 11 months ago                 |             |            | third-party packages for OpenTelemetry-Go.         |
|                |          |      |                                                                             |         |                                 |             |            | Prior to version 0.46.0, the grpc Unary Server     |
|                |          |      |                                                                             |         |                                 |             |            | Interceptor out ...                                |
+----------------+----------+------+-----------------------------------------------------------------------------+---------+---------------------------------+-------------+------------+----------------------------------------------------+

These issues are fixed in https://github.com/open-telemetry/opentelemetry-helm-charts/releases/tag/opentelemetry-operator-0.71.2+
This updates to
opentelemetry-operator => 0.110.0
Scan results for: image ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:v0.110.0 sha256:7f415c5c0c442fcd065d5b1293ba2349c817ed12a6a89db6b2d19ca422244b9c

Vulnerabilities found for image ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:v0.110.0: total - 0, critical - 0, high - 0, medium - 0, low - 0

kube-rbac-proxy => 0.18.1

 Scan results for: image quay.io/brancz/kube-rbac-proxy:v0.18.0 sha256:f11dcab913758ac5cdfdfb4c8209b0d1fd7bf3d22896e8b0e19518bea357de36
Vulnerabilities

Vulnerabilities found for image quay.io/brancz/kube-rbac-proxy:v0.18.0: total - 2, critical - 0, high - 0, medium - 1, low - 1
Vulnerability threshold check results: PASS

Also see the dependabot PR #3859

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant