Vulnerabilities Found in Kubeflow Docker Images v1.9.0

[StefanSorensen]

/kind bug

What steps did you take and what happened:
When we scanned kubeflow docker images v1.9.0, we found following vulnerabilities

During a security scan of the Kubeflow Docker images Kubeflow release version 1.9.0, we identified several vulnerabilities. Below are the details of the affected Docker images and their corresponding CVEs:

• istio-pilot-1.22.1
  • CVE-2024-41110
  • CVE-2024-24790
• istio-proxyv2-1.22.1
  • CVE-2024-41110
  • CVE-2024-24790
• kserve-models-web-app-v0.13.0-rc.0
  • CVE-2023-7104
  • CVE-2023-45853
• kubeflownotebookswg-centraldashboard-v1.9.0
  • CVE-2023-36665
• kubeflownotebookswg-jupyter-web-app-v1.9.0
  • CVE-2023-45853
• kubeflownotebookswg-kfam-v1.9.0
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• kubeflownotebookswg-notebook-controller-v1.9.0
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• kubeflownotebookswg-volumes-web-app-v1.9.0
  • CVE-2023-45853
• kubeflowkatib-katib-controller-v0.17.0
  • CVE-2024-41110
• kubeflownotebookswg-profile-controller-v1.9.0
  • CVE-2022-1996
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• kubeflownotebookswg-pvcviewer-controller
  • CVE-2024-24790
• kubeflownotebookswg-tensorboard-controller-v1.9.0
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• kubeflownotebookswg-tensorboards-web-app-v1.9.0
  • CVE-2023-45853
• metacontrollerio-metacontroller-v2.0.4
  • CVE-2021-3711
  • CVE-2022-37434
  • CVE-2022-23806
  • CVE-2023-24538
  • CVE-2024-24790
• rancher-local-path-provisioner-v0.0.26
  • CVE-2024-24790
  • CVE-2023-24540
• mysql-8.0.29
  • CVE-2022-23806
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• rancher-klipper-helm-v0.8.3-build20240228
  • CVE-2024-41110
  • CVE-2024-24790
  • CVE-2022-23806
  • CVE-2023-24538
• rancher-mirrored-coredns-coredns-1.10.1
  • CVE-2023-24538
  • CVE-2023-24540
  • CVE-2024-24790
• rancher-mirrored-library-traefik-2.10.7
  • CVE-2024-41110
  • CVE-2024-24790
• rancher-mirrored-metrics-server-v0.7.0
  • CVE-2024-24790

I have investigated some of the CVEs, and they can all be resolved by updating the dependencies.

I have only found boards for posting issues for individual components. Since the CVEs affect multiple components, I have reported the bug here for now. If necessary, I can create multiple issues.

[andreyvelich]

Thank you for rising this @StefanSorensen!
@juliusvonkohout @akgraner Do we have any guidelines from the security perspective on how these CVEs should be addressed ?
cc @kubeflow/kubeflow-steering-committee

[juliusvonkohout]

First of all we have the scans as well on every commit. For example https://github.com/kubeflow/manifests/actions/runs/11073006658/job/30768570843 So it is already public. I also pointed @StefanSorensen on slack to the script to upgrade istio from 1.22.1 to 1.22.x and the kserve repository. Most others issues here are from kubeflow/dashboard / kubeflow/kubeflow, kubeflow/pipelines or out of scope (rancher). In the end we just want people to raise PRs for such public stuff.