Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Vulnerabilities #2566

Open
Nikhilsree opened this issue May 10, 2024 · 5 comments
Open

[Bug]: Vulnerabilities #2566

Nikhilsree opened this issue May 10, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@Nikhilsree
Copy link

What happened?

CVE-2022-47629
CVE-2023-44487
CVE-2022-1271
We are receiving the above vulnerabilities for Jaeger due to which we are unable to use this on our production environment

Steps to reproduce

NA

Expected behavior

NA

Relevant log output

No response

Screenshot

No response

Additional context

No response

Jaeger backend version

V 1.57

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

No response

@Nikhilsree Nikhilsree added the bug Something isn't working label May 10, 2024
@iblancasa
Copy link
Collaborator

Can you add a little bit more of context? I'm unable to find those vulnerabilities in the current image:

$ trivy i quay.io/jaegertracing/jaeger-operator:1.57.0
2024-05-10T16:35:55.829+0200	INFO	Need to update DB
2024-05-10T16:35:55.829+0200	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-05-10T16:35:55.829+0200	INFO	Downloading DB...
46.03 MiB / 46.03 MiB [------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 28.88 MiB p/s 1.8s
2024-05-10T16:35:58.656+0200	INFO	Vulnerability scanning is enabled
2024-05-10T16:35:58.656+0200	INFO	Secret scanning is enabled
2024-05-10T16:35:58.656+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2024-05-10T16:35:58.656+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2024-05-10T16:36:03.613+0200	INFO	Number of language-specific files: 1
2024-05-10T16:36:03.613+0200	INFO	Detecting gobinary vulnerabilities...

jaeger-operator (gobinary)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@Nikhilsree
Copy link
Author

Nikhilsree commented May 14, 2024

Hi @iblancasa,
Asset Tertiary Identifier: sha256:af673114f790dd6f87180ef7d224a1be65cb7218f55633752009b3021ac183d1
Labels: org.label-schema.schema-version:1.0,org.label-schema.vendor:CentOS,io.buildah.version:1.31.3,org.label-schema.build-date:20240326,org.label-schema.license:GPLv2,org.label-schema.name:CentOS Stream 9 Base Image
PackageName: libnghttp2, xz-libs, libksba
PackageVersion: 1.43.0-5.el9.1
Threat: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

@Nikhilsree
Copy link
Author

Any update on this?

@antoniomerlin
Copy link
Contributor

Screenshot from 2024-10-02 19-41-36

Screenshot from 2024-10-02 19-42-13

@iblancasa
Copy link
Collaborator

@antoniomerlin Those vulnerabilities reported by trivy, if I'm not wrong, are related to other issues. Not the ones reported in the initial message.
A newer version will fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants