Bump helm charts sidecars versions to resolve CVEs

Question

Bump helm charts sidecars versions to resolve CVEs

yash-acquia opened this issue 6 months ago · 3 comments

yash-acquia commented 6 months ago

/kind bug

What happened?
A scan detected the following CVEs:
CVE-2023-45288

What you expected to happen?
Update sidecar versions in the helm chart:

livenessProbe: v2.13.0
nodeDriverRegistrar : v2.11.0
csiProvisioner: v5.0.1
csiAttacher: v4.6.1
csiResizer: v1.11.1

updating above sidecars will fix CVE-2023-45288

Vulnerability_id	Package Name	Vulnerable Version	Fixed Version	Type
CVE-2023-45288	golang.org/x/net	v0.18.0	v0.23.0	gobinary

Environment

Driver version: v1.30.0

Answer 1 · 2024-06-06T19:37:15.000Z

We regularly bump the sidecars (and other dependencies) of the EBS CSI Driver during our monthly release. Because this is only a medium-severity CVE, and there is no reason to believe or evidence it is exploitable under normal conditions, we will not be doing an out of band release for CVE-2023-45288 at this time.

If you wish to bump the sidecar versions yourself, the chart includes the ability to customize the tag and repository of the sidecar containers.

Answer 2 · 2024-07-01T13:20:58.000Z

This issue has been addressed in driver release v1.32.0
/close

Answer 3 · 2024-07-01T13:21:03.000Z

@torredil: Closing this issue.

In response to this:

This issue has been addressed in driver release v1.32.0
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.