K3s Images - Security Vulnerabilities

gsethu · July 23, 2020, 5:17pm

We are evaluating k3s. As part of security, scanned all the k3s images corresponding to version 1.18.2+k3s1 (698e444). The scanning tool reported below CVE vulnerabilities corresponding to severity level Critical (3) & High(10) (there are additional CVE corresponding to medium/low severity).

Pls clarify if these CVE would be addressed in upcoming release ? Also does k3s images gets scanned during every release ?

CVE-2018-1000517
CVE-2019-14697
CVE-2019-19012

CVE-2018-20679
CVE-2019-18276
CVE-2019-19203
CVE-2019-19204
CVE-2019-19604
CVE-2019-20454
CVE-2019-5747
CVE-2020-11008
CVE-2020-1967
CVE-2020-5260

gsethu · August 4, 2020, 1:55am

I appreciate if someone can provide an update on the above query ?

cjellick · August 4, 2020, 2:41pm

Thanks for the question.

We’ve started down the path of automated CVE scanning, but aren’t quite there yet.

As we work through that effort, we will be uplifting base images to get the images to pass the scanning.

Roughly targeting this for the v1.19.x timeframe.

gsethu · August 4, 2020, 8:20pm

Thanks for the update. Can you pls provide the date when v1.9.x is planned for release ?

gsethu · August 10, 2020, 5:14pm

@cjellick Can you pls update when the next version (v1.19.x) planned for ? What is the timeframe when these vulnerabilities would be addressed ? Thanks.

cjellick · August 10, 2020, 6:39pm

I can’t give an exact timeframe. v1.19.0 is due out later this month (in line with upstream), but I don’t think we’ll have the base images updated by then.

Topic		Replies	Views
CVE-2022-37434 in k3d-tools k3s, k3OS, and k3d	0	176	July 18, 2023
K3s Release - v0.3.0 Announcements	1	1391	March 30, 2019
Guidance on Hardening K3S k3s, k3OS, and k3d	0	607	November 3, 2020
K3s Release - v0.5.0 Announcements	1	1166	May 6, 2019
"read: connection reset by peer" when pulling from insecure registry k3s, k3OS, and k3d	1	1808	May 23, 2021

K3s Images - Security Vulnerabilities

Related Topics