Security Vulnerabilities

[squarerootwik]

Name and Version

bitnami/cluster-autoscaler:1.25.0

What steps will reproduce the bug?

Vulnerabilities scanned by PRISMA tool

What is the expected behavior?

No response

What do you see instead?

Component	Version	Vulnerability	Severity
ncurses	6.2+20201114-2	CVE-2022-29458	low
openssl	1.1.1n-0+deb11u3	CVE-2022-2097	low
pcre2	10.36-2	CVE-2022-1587	low
pcre2	10.36-2	CVE-2022-1586	low
e2fsprogs	1.46.2-2	CVE-2022-1304	low
glibc	2.31-13+deb11u3	CVE-2021-3999	low
libsepol	3.1-1	CVE-2021-36087	low
libsepol	3.1-1	CVE-2021-36086	low
libsepol	3.1-1	CVE-2021-36085	low
libsepol	3.1-1	CVE-2021-36084	low
libgcrypt20	1.8.7-6	CVE-2021-33560	low
db5.3	5.3.28+dfsg1-0.8	CVE-2019-8457	low
curl	7.74.0-1.3+deb11u2	CVE-2022-35252	low
perl	5.32.1-4+deb11u2	CVE-2020-16156	low
coreutils	8.32-4	CVE-2016-2781	low
medium	github.com/aws/aws-sdk-go	PRISMA-2022-0164
PRISMA-2022-0227
PRISMA-2022-0270

Additional information

No response

[carrodher]

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application.

At this moment there is not any fixable vulnerability in the container image

$ trivy image --ignore-unfixed bitnami/cluster-autoscaler:1.25.0
2022-09-09T08:02:09.990Z	INFO	Vulnerability scanning is enabled
2022-09-09T08:02:09.990Z	INFO	Secret scanning is enabled
2022-09-09T08:02:09.990Z	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-09T08:02:09.990Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.31.2/docs/secret/scanning/#recommendation for faster secret detection
2022-09-09T08:02:16.848Z	INFO	Detected OS: debian
2022-09-09T08:02:16.848Z	INFO	Detecting Debian vulnerabilities...
2022-09-09T08:02:16.861Z	INFO	Number of language-specific files: 1
2022-09-09T08:02:16.861Z	INFO	Detecting gobinary vulnerabilities...

bitnami/cluster-autoscaler:1.25.0 (debian 11.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, or custom golden image) through the VMware Tanzu Application Catalog.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[sinceronny]

Prisma scan reports another CVE:

Component	Version	Vulnerability	Severity
libtasn1-6	4.16.0-2	CVE-2021-46848	critical