Critical vulnerability CVE-2024-32002
kustomize-controller:v1.3.0 has CVE-2024-32002 critical vulnerability.
https://security.alpinelinux.org/vuln/CVE-2024-32002
Vulnerability ID: CVE-2024-32002
Fixed Version: 2.43.4-r0
Installed Version: 2.43.0-r0
The base image CVEs are fixed as part of our release process.
We recommend disabling kustomize remote bases when running Flux in production. If you do that, then the controller will never call the Git CLI and you are safe from this CVE.
If you need images that pass your scanner right away, please have a look at https://github.com/controlplaneio-fluxcd.
@souleb How can I set this flag? I can't find it in the docs. when running - flux install --no-remote-bases=true I'm getting, unknown flag: --no-remote-bases
It's in the controller options. You can customize it using a patch as described in https://fluxcd.io/flux/installation/configuration/boostrap-customization/.
@souleb In which version will the fix be rolled out? The current version v1.3.0 still has git 2.43.0-r0 installed.
Please correct me if I am wrong, the setting --no-remote-bases=true changes the way kustomize controller works. But the image remains the same v1.3.0. This means that the old git version is still installed and the vulnerability is still there. I would like, if possible, to have no software in my environment that has vulnerabilities.
The base image CVEs are fixed as part of our release process.
We recommend disabling kustomize remote bases when running Flux in production. If you do that, then the controller will never call the Git CLI and you are safe from this CVE.
If you need images that pass your scanner right away, please have a look at https://github.com/controlplaneio-fluxcd.
yes but vulnerability scan will continue to find this critical vulnerability. I think fixing the image is the correct way.
This cve is not in flux, but in the base image. Rebuilding the image would fix it.
If you need it to pass your scanner now, either contact one of the resellers or you can rebuild it yourself from a release branch.
We will provide a new image as part of the next release this summer.