CVE's on latest container image citrix-k8s-ingress-controller:2.1.4

[yethishgv]

The latest Docker image citrix-k8s-ingress-controller:2.1.4 contains 25 CVEs, including one dating back to 2015. Are there any plans to address these vulnerabilities?

CVE-2015-2104
Active
python3-pycache-pyc0, python3-pyc, and 1 more...
Upgrade 3 packages

CVE-2023-27043
Active
python3-pyc, python3, and 1 more...
Upgrade 3 packages

CVE-2023-36054
Active
krb5-libs
Upgrade krb5-libs to >= 1.20.2-r0

CVE-2023-42363
Active
busybox-binsh, busybox, and 1 more...
Upgrade 3 packages

CVE-2023-42364
Active
busybox-binsh, busybox, and 1 more...
Upgrade 3 packages

CVE-2023-42365
Active
busybox-binsh, busybox, and 1 more...
Upgrade 3 packages

CVE-2023-42366
Active
busybox-binsh, busybox, and 1 more...
Upgrade 3 packages

CVE-2024-2511
Active
libssl3, libcrypto3
Upgrade 2 packages

CVE-2024-37370
Active
krb5-libs
Upgrade krb5-libs to >= 1.20.2-r1

CVE-2024-37371
Active
krb5-libs
Upgrade krb5-libs to >= 1.20.2-r1

CVE-2024-4032
Active
python3-pycache-pyc0, python3-pyc, and 1 more...
Upgrade 3 packages

CVE-2024-45490
Active
libexpat
Upgrade libexpat to >= 2.6.3-r0

CVE-2024-45491
Active
libexpat
Upgrade libexpat to >= 2.6.3-r0

CVE-2024-45492
Active
libexpat
Upgrade libexpat to >= 2.6.3-r0

CVE-2024-4603
Active
libssl3, libcrypto3
Upgrade 2 packages

CVE-2024-4741
Active
libssl3, libcrypto3
Upgrade 2 packages

CVE-2024-50602
Active
libexpat
Upgrade libexpat to >= 2.6.4-r0

CVE-2024-5535
Active
libcrypto3, libssl3
Upgrade 2 packages

CVE-2024-6119
Active
libssl3, libcrypto3
Upgrade 2 packages

CVE-2024-6232
Active
python3-pycache-pyc0, python3-pyc, and 1 more...
Upgrade 3 packages

CVE-2024-6923
Active
python3-pyc, python3, and 1 more...
Upgrade 3 packages

CVE-2024-7592
Active
python3-pycache-pyc0, python3-pyc, and 1 more...
Upgrade 3 packages

CVE-2024-8088
Active
python3, python3-pycache-pyc0, and 1 more...
Upgrade 3 packages

CVE-2024-9143
Active
libssl3, libcrypto3
Upgrade 2 packages

CVE-2024-9287
Active
python3-pyc, python3, and 1 more...
Upgrade 3 packages

[arijitr-citrix]

Hi @yethishgv,
We have addressed few CVEs in latest release (2.2.10). Please check on the latest version.

Additionally, can you please let us know the Scanning tool that is flagging the said CVEs.

Regards!
Arijit Ray

[yethishgv]

Hi @arijitr-citrix,
Thanks for the update.
Vulnerability Advisor is the scanning tool.
Though latest release (2.2.10) exists as source code. Container image is missing for a long time. Last available is citrix-k8s-ingress-controller:2.1.4
Any reason why latest Container image is not published. ?

[arijitr-citrix]

Hi @yethishgv ,

We have migrated to new repo and it was supported for a year or so. But from last release it will not be published to the citrix repo. Images will be updated into netscaler repo: quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10

Kindly use this in the repo. Additionally, if you are using helm charts, you will notice deprecation notices on citrix helm charts and you have to use netscaler helm charts: https://artifacthub.io/packages/helm/netscaler/citrix-cloud-native

[yethishgv]

Hi @arijitr-citrix
Thank you for the quick response.
I was able to pull the new image netscaler-k8s-ingress-controller:2.2.10.
The new image shows 5 CVEs. Could you please confirm this on your end?

CVE-2024-9143
Active
libcrypto3, libssl3
Upgrade 2 packages

CVE-2024-9287
Active
python3, python3-pycache-pyc0, and 1 more...
Upgrade 3 packages

CVE-2024-50602
Active
libexpat
Upgrade libexpat to >= 2.6.4-r0

CVE-2024-37371
Active
krb5-libs
Upgrade krb5-libs to >= 1.20.2-r1

CVE-2024-37370
Active
krb5-libs
Upgrade krb5-libs to >= 1.20.2-r1

[arijitr-citrix]

Hi @yethishgv ,
We are aware of these CVEs and we will be fixing where the fix is available in the upcoming releases.
Meanwhile, kindly provide us with more information so that we can reach you better by filling this questionnaire.