Critical security vulnerabilities

[kvijai82]

We are using the latest v1.45.0 OPM image available and our twistlock & aqua scanners are flagging the image for these critical & high vulnerabilities.

cve sev epss package type version fixedIn arch path
CVE-2024-41110 | critical (aqua) | 0.045% | github.com/docker/docker | go (aqua) | 26.1.3+incompatible (aqua) | 27.1.1 (aqua) | amd64 | /bin/opm (aqua)
CVE-2023-24538 critical (twistlock) 0.554% html/template go (twistlock) 1.17.9 (twistlock) 1.20.3 (twistlock) amd64 /bin/grpc_health_probe (twistlock)
CVE-2023-24540 critical (twistlock) 0.256% html/template go (twistlock) 1.17.9 (twistlock) 1.20.4 (twistlock) amd64 /bin/grpc_health_probe (twistlock)
CVE-2023-24539 high (twistlock) 0.139% html/template go (twistlock) 1.17.9 (twistlock) 1.20.4 (twistlock) amd64 /bin/grpc_health_probe (twistlock)
CVE-2023-29400 high (twistlock) 0.139% html/template go (twistlock) 1.17.9 (twistlock) 1.20.4 (twistlock) amd64 /bin/grpc_health_probe (twistlock)

cve sev epss package type version fixedIn arch path
CVE-2024-41110 critical (aqua) 0.045% github.com/docker/docker go (aqua) 26.1.3+incompatible (aqua) 27.1.1 (aqua) amd64 /bin/opm (aqua)

Would it be possible to remediate these critical CVEs atleast?

[kvijai82]

Someone from my team investigated this a bit further and had the following assessment for the criticals:
The majority of these vulnerabilities is because the image is on go version 1.17.9. The path is grpc_health_probe. Looking into the docker files I see GRPC_HEALTH_PROBE_VERSION=v0.4.11 it references which dates back to 2022 (https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.4.11). The latest version is https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.4.28.