kustomize-controller icon indicating copy to clipboard operation
kustomize-controller copied to clipboard
verified publisher icon fluxcd

Critical vulnerability CVE-2024-32002

Open BurakCetin3129 opened this issue 1 year ago • 2 comments

kustomize-controller:v1.3.0 has CVE-2024-32002 critical vulnerability.

https://security.alpinelinux.org/vuln/CVE-2024-32002

BurakCetin3129 avatar May 21 '24 08:05 BurakCetin3129 

Vulnerability ID:    CVE-2024-32002
Fixed Version:       2.43.4-r0
Installed Version:   2.43.0-r0

zensqlmonitor avatar May 21 '24 08:05 zensqlmonitor

The base image CVEs are fixed as part of our release process.

We recommend disabling kustomize remote bases when running Flux in production. If you do that, then the controller will never call the Git CLI and you are safe from this CVE.

If you need images that pass your scanner right away, please have a look at https://github.com/controlplaneio-fluxcd.

souleb avatar May 21 '24 09:05 souleb

@souleb How can I set this flag? I can't find it in the docs. when running - flux install --no-remote-bases=true I'm getting, unknown flag: --no-remote-bases

galz-cyera avatar Jun 02 '24 14:06 galz-cyera

It's in the controller options. You can customize it using a patch as described in https://fluxcd.io/flux/installation/configuration/boostrap-customization/.

souleb avatar Jun 02 '24 16:06 souleb

@souleb In which version will the fix be rolled out? The current version v1.3.0 still has git 2.43.0-r0 installed.

Please correct me if I am wrong, the setting --no-remote-bases=true changes the way kustomize controller works. But the image remains the same v1.3.0. This means that the old git version is still installed and the vulnerability is still there. I would like, if possible, to have no software in my environment that has vulnerabilities.

artur-tud avatar Jun 03 '24 08:06 artur-tud

The base image CVEs are fixed as part of our release process.

We recommend disabling kustomize remote bases when running Flux in production. If you do that, then the controller will never call the Git CLI and you are safe from this CVE.

If you need images that pass your scanner right away, please have a look at https://github.com/controlplaneio-fluxcd.

yes but vulnerability scan will continue to find this critical vulnerability. I think fixing the image is the correct way.

BurakCetin3129 avatar Jun 03 '24 08:06 BurakCetin3129

This cve is not in flux, but in the base image. Rebuilding the image would fix it.

If you need it to pass your scanner now, either contact one of the resellers or you can rebuild it yourself from a release branch.

We will provide a new image as part of the next release this summer.

souleb avatar Jun 03 '24 09:06 souleb