Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability remediation for CRITICAl and HIGH in latest KF chart #2132

Closed
psheorangithub opened this issue Feb 10, 2022 · 2 comments
Closed

Comments

@psheorangithub
Copy link

The latest KF release 1.4.1 have total 43 HIGH and CRITICAL vulnerabilities. Do you have any plans to remediate them? I see few of them are due to the latest chart of apps not being used. FEAST ( https://github.com/feast-dev/feast/releases/tag/v0.18.0 ) is one of the example.

IMAGE TAG CVE SEVERITY
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2018-16873 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2018-16875 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2019-13115 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2021-3156 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2018-16873 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2018-16875 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2019-13115 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2021-3156 HIGH
docker.io/kubeflowkatib/pytorch-mnist v1beta1-45c5727 CVE-2019-3462 HIGH
docker.io/kubeflowkatib/tfevent-metrics-collector v0.12.0 CVE-2019-3462 HIGH
docker.io/kubeflowkatib/tfevent-metrics-collector v0.12.0 CVE-2020-15999 HIGH
gcr.io/arrikto/kubeflow/oidc-authservice 28c59ef CVE-2020-1967 HIGH
gcr.io/kf-feast/feast-core develop CVE-2014-0050 CRITICAL
gcr.io/kf-feast/feast-core develop CVE-2021-44228 CRITICAL
gcr.io/kf-feast/feast-core develop CVE-2021-45046 CRITICAL
gcr.io/kf-feast/feast-jobservice develop CVE-2019-17571 CRITICAL
gcr.io/kf-feast/feast-jobservice develop CVE-2020-24616 HIGH
gcr.io/kf-feast/feast-jobservice develop CVE-2021-3156 HIGH
gcr.io/kf-feast/feast-jobservice develop CVE-2022-23307 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2014-0050 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2020-24616 HIGH
gcr.io/kf-feast/feast-serving develop CVE-2021-44228 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2021-45046 CRITICAL
gcr.io/kubebuilder/kube-rbac-proxy v0.4.0 CVE-2018-16873 HIGH
gcr.io/kubebuilder/kube-rbac-proxy v0.4.0 CVE-2018-16875 HIGH
gcr.io/ml-pipeline/api-server 1.7.0 CVE-2009-5155 HIGH
gcr.io/ml-pipeline/api-server 1.7.0 CVE-2018-100000 HIGH
gcr.io/ml-pipeline/frontend 1.7.0 CVE-2020-1967 HIGH
gcr.io/ml-pipeline/persistenceagent 1.7.0 CVE-2019-11253 HIGH
kfserving/storage-initializer v0.6.1 CVE-2021-44228 CRITICAL
kfserving/storage-initializer v0.6.1 CVE-2021-45046 CRITICAL
metacontroller/metacontroller v0.3.0 CVE-2009-5155 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-100000 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-16873 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-16875 HIGH
metacontroller/metacontroller v0.3.0 CVE-2019-3462 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-cuda-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-cuda-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse v1.4 CVE-2021-4034 HIGH
@juliusvonkohout
Copy link
Member

/close

We are now at 1.7/1.8 Please join our security wg meeting or reach out on slack.

There has been no activity for a long time. Please reopen if necessary.

@google-oss-prow
Copy link

@juliusvonkohout: Closing this issue.

In response to this:

/close

We are now at 1.7/1.8 Please join our security wg meeting or reach out on slack.

There has been no activity for a long time. Please reopen if necessary.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants