external-dns vulnerability

3 views
Skip to first unread message

Jesire Belleza

unread,
Aug 3, 2022, 10:47:53 AMAug 3
to kubernetes-se...@googlegroups.com

Hello,

 

Our twistlock scanner picked up a vulnerability finding on our external-dns container about "github.com/golang-jwt/jwt/v4 module from all versions is vulnerable to Denial of Service (DoS) due to token without ExpiresAt can cause panic." This finding has been addressed and fixed in jwt version > v4.1.0. I found the line of code referring to "github.com/golang-jwt/jwt/v4" module in this link https://github.com/kubernetes-sigs/external-dns/blob/master/go.mod#L104. I’m not sure if this finding has been addressed before but I thought it would be a great idea to bring this finding up. Let me know if you need any more info about it. Thanks and have a great day.

 

V/r,

 

Jesire Belleza

 

 

V/r,

 

Jesire Belleza

Consulting Engineer

Rancher Government Solutions

www.ranchergovernment.com

562-477-0287

 

 

A picture containing text, clipart

Description automatically generated

 

 

Luke Hinds

unread,
Aug 3, 2022, 11:05:24 AMAug 3
to Jesire Belleza, kubernetes-se...@googlegroups.com
Hi Jesire

I already replied to this in a different thread, pasting my reply here;

Thanks for letting us know.

As this is an indirect dependency (you don't use jwt directly within the external-jwt codebase), I don't believe this needs handling by the security response team.

The import path is as follows:


An update to jwt, would need to be performed within 'github.com/Azure/go-autorest/autorest/adal'

autorest/adal/v0.9.21 $ grep jwt go.mod
github.com/golang-jwt/jwt/v4 v4.0.0

Microsoft have a security report process listed here: https://github.com/Azure/go-autorest/blob/main/SECURITY.md

Regards,

Luke



--
You received this message because you are subscribed to the Google Groups "kubernetes-security-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-security...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-security-discuss/MN2PR01MB57913C501D9F5BEE877FEF4AFC9C9%40MN2PR01MB5791.prod.exchangelabs.com.
Reply all
Reply to author
Forward
0 new messages