Installed latest version of kotsadm/dex:v2.33.0 but we are seeing the vulnerability -Alpine Linux Security Update for busybox

Question

Installed latest version of kotsadm/dex:v2.33.0 but we are seeing the vulnerability -Alpine Linux Security Update for busybox

chaitutheprince opened this issue 2 years ago · 12 comments

Need to know how to fix this vulnerability -Alpine Linux Security Update for busybox for kotsadm/dex:v2.33.0 image. We have installed latest image but it is not yet fixed. Need to know where we can check whether this vulnerability is fixed with the latest image pulled.

vulnerability ID = 502444
Vulnerability name =-Alpine Linux Security Update for busybox

Answer 1 · 2022-08-23T20:23:30.000Z

Hi @chaitutheprince, that vulnerability (CVE-2022-30065) was present in kotsadm/dex:v2.32.0, but was fixed in this PR and released in kotsadm/dex:v2.33.0. We are currently waiting on upstream fixes to resolve the remaining CVEs for this image.

Answer 2 · 2022-08-23T23:51:26.000Z

Thanks @cbodonnell. How to know this particular vulnerability got fixed with this PR.

Answer 3 · 2022-08-24T12:29:58.000Z

We use the trivy security scanner to identify these CVEs in our images. The following command would show you the remaining CRITICAL/HIGH severity vulnerabilities in the kotsadm/dex:v2.33.0 image (which we are waiting on upstream fixes for):

trivy image --format table --ignore-unfixed --severity CRITICAL,HIGH kotsadm/dex:v2.33.0

Answer 4 · 2022-08-24T15:28:12.000Z

Thank you @cbodonnell. What is the expected ETA for getting the latest image of kotsadm/dex to fix these vulnerabilities and release

Answer 5 · 2022-08-24T16:40:27.000Z

Unfortunately, I do not have a clear ETA for this since those CVEs exist in the base dex image ghcr.io/dexidp/dex:v2.33.0 and currently v2.33.0 is the latest release of that project (see here). We regularly monitor CVEs like this and will work to patch this once a new version with the fixes is available. I hope that helps clear things up.

FYI, you can run a scan on that base image with the following:

trivy image --format table --ignore-unfixed --severity CRITICAL,HIGH ghcr.io/dexidp/dex:v2.33.0

Answer 6 · 2022-08-25T14:17:49.000Z

@chaitutheprince A quick update... I checked the source code for the dex project and it appears they have fixed the remaining CVEs, but have not yet released a new image. Once they release it, we should be able to pull it in to our image to resolve these vulnerabilities.

Answer 7 · 2022-08-25T15:22:08.000Z

Thanks for your support @cbodonnell. Please let me know when the latest version was released.

Answer 8 · 2022-09-01T15:24:44.000Z

@cbodonnell - Any update on releasing the new version of the kotsadm/dex which includes-Alpine Linux Security Update for busybox vulnerability. we have s360 vulnerability as due date today.

Answer 9 · 2022-09-02T20:32:26.000Z

Can any one confirm us that 1.83 version has above vulnerability fix

Answer 10 · 2022-09-06T13:03:43.000Z

@chaitutheprince, that vulnerability (CVE-2022-30065) was fixed in kotsadm/dex:v2.33.0 and KOTS 1.83.0 uses that version. Let me know if there is anything else that we can help you out with. Thanks!

Answer 11 · 2022-09-06T18:02:04.000Z

Hi @cbodonnell

We see still exist post deploying the 1.83 version. we have deployed on friday and the scan ran today and dex image is listed as vulnerability. You can check the SHA value in the image which is in our system now. Can you suggest.

Answer 12 · 2022-09-06T18:49:37.000Z

Hi @chaitutheprince, we are waiting on an upstream release of the dex project in order to resolve the zlib CVE. The busybox CVE was fixed in v2.33.0 and is no longer showing up in our trivy scans.