Vulnerability in stdlib of Kustomize Binary

[ilyasamraoui]

What happened?

After scanning a Docker image containing kustomize version 5.4.3 using Chainguard, a report indicated that the image contains a vulnerability related to CVE-2024-34156. The vulnerability was found in the stdlib component, as the current kustomize version is using stdlib version 1.21.12.

According to the report, this version of the standard library is vulnerable and should be updated to either version 1.22.7 or version 1.23.1 to address the security issue.

What did you expect to happen?

I expect to have an empty report with no vulnerabilites

How can we reproduce it (as minimally and precisely as possible)?

scan the binary using chaingard

Expected output

No response

Actual output

No response

Kustomize version

5.4.3

Operating system

Linux

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[geekyfox90]

I encountered the same issue while scanning a Docker image with kustomize version 5.4.3 using Trivy. The scan report flagged CVE-2024-34156 due to the usage of stdlib version 1.21.12, which is vulnerable. According to the report, this version should be updated to stdlib version 1.22.7 or 1.23.1 to resolve the issue.

Could you provide an estimate of when a new version of kustomize will be released with the updated stdlib version that addresses this vulnerability? Additionally, is there any workaround or guidance you can offer in the meantime?

Thanks in advance!

[koba1t]

/assign @koba1t

[koba1t]

I believe this vulnerability is from the go version.
So we need to update go.

app/kustomize (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

[koba1t]

@geekyfox90

Could you provide an estimate of when a new version of kustomize will be released with the updated stdlib version that addresses this vulnerability? Additionally, is there any workaround or guidance you can offer in the meantime?

I believe we don't use encoding/gob package now, so you don't need to do anything.

[koba1t]

/reopen
We need to create a new release.

[k8s-ci-robot]

@koba1t: Reopened this issue.

In response to this:

/reopen
We need to create new release.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[koba1t]

A new kustomize binary was released.
/~https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0

/close

[k8s-ci-robot]

@koba1t: Closing this issue.

In response to this:

A new kustomize binary was released.
/~https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.