More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2333122 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
A scan by govulcheck (see https://github.com/golang/vuln) on cri-tools v1.29 indicates that cri-tools does not appear to be vulnerable. GO-2024-3333 is the Go vulnerability database analog to CVE-2024-45338. Full results: cri-tools [ v1.29] ❯ govulncheck --show verbose ./... Scanning your code and 764 packages across 92 dependent modules for known vulnerabilities... Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-3110 runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2024-3110 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc.10 Fixed in: github.com/opencontainers/runc.14 Example traces found: #1: pkg/validate/apparmor_linux.go:28:2: validate.init calls apparmor.init #2: pkg/framework/test_context.go:154:46: framework.RegisterFlags calls os.Getenv, which eventually calls apparmor.isEnabled #3: pkg/validate/apparmor_linux.go:62:23: validate.init calls apparmor.isEnabled #4: pkg/validate/apparmor_linux.go:28:2: validate.init calls apparmor.init, which calls utils.init Vulnerability #2: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net.0 Fixed in: golang.org/x/net.0 Example traces found: #1: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.ConnectionError.Error #2: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.ErrCode.String #3: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.FrameHeader.String #4: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.FrameType.String #5: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.ReadFrame #6: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteContinuation #7: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteData #8: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteHeaders #9: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WritePing #10: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteRSTStream #11: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteSettings #12: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteSettingsAck #13: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.Framer.WriteWindowUpdate #14: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.GoAwayError.Error #15: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.Setting.String #16: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.SettingID.String #17: pkg/framework/framework.go:51:11: framework.NewCRIFramework calls ginkgo.AfterEach, which eventually calls http2.SettingsFrame.ForeachSetting #18: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.StreamError.Error #19: pkg/framework/util.go:163:13: framework.log calls fmt.Fprintf, which eventually calls http2.chunkWriter.Write #20: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.connError.Error #21: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.duplicatePseudoHeaderError.Error #22: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.gzipReader.Close #23: pkg/framework/util.go:188:17: framework.NewUUID calls uuid.New, which eventually calls http2.gzipReader.Read #24: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.headerFieldNameError.Error #25: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.headerFieldValueError.Error #26: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.pseudoHeaderError.Error #27: pkg/framework/util.go:163:13: framework.log calls fmt.Fprintf, which eventually calls http2.stickyErrWriter.Write #28: pkg/validate/e2e.go:33:10: validate.TestE2ECRI calls ginkgo.RunSpecs, which eventually calls http2.transportResponseBody.Close #29: pkg/framework/util.go:188:17: framework.NewUUID calls uuid.New, which eventually calls http2.transportResponseBody.Read #30: pkg/framework/util.go:330:20: framework.PullPublicImage calls fmt.Sprintf, which eventually calls http2.writeData.String Vulnerability #3: GO-2023-2331 Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc More info: https://pkg.go.dev/vuln/GO-2023-2331 Module: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc Found in: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.0 Fixed in: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.0 Example traces found: #1: pkg/framework/util.go:133:49: framework.LoadCRIClient calls remote.NewRemoteRuntimeService, which calls otelgrpc.StreamClientInterceptor #2: pkg/framework/util.go:133:49: framework.LoadCRIClient calls remote.NewRemoteRuntimeService, which calls otelgrpc.UnaryClientInterceptor #3: pkg/common/pod_config.go:31:39: common.GetCgroupParent calls remote.remoteRuntimeService.RuntimeConfig, which eventually calls otelgrpc.spanInfo === Package Results === Vulnerability #1: GO-2024-3333 Non-linear parsing of case-insensitive content in golang.org/x/net/html More info: https://pkg.go.dev/vuln/GO-2024-3333 Module: golang.org/x/net Found in: golang.org/x/net.0 Fixed in: golang.org/x/net.0 Vulnerability #2: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf.0 Fixed in: google.golang.org/protobuf.0 Vulnerability #3: GO-2024-2491 Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc More info: https://pkg.go.dev/vuln/GO-2024-2491 Module: github.com/opencontainers/runc Found in: github.com/opencontainers/runc.10 Fixed in: github.com/opencontainers/runc.12 === Module Results === Vulnerability #1: GO-2024-3005 Moby authz zero length regression in github.com/moby/moby More info: https://pkg.go.dev/vuln/GO-2024-3005 Module: github.com/docker/docker Found in: github.com/docker/docker.7+incompatible Fixed in: github.com/docker/docker.6+incompatible Vulnerability #2: GO-2024-2512 Classic builder cache poisoning in github.com/docker/docker More info: https://pkg.go.dev/vuln/GO-2024-2512 Module: github.com/docker/docker Found in: github.com/docker/docker.7+incompatible Fixed in: github.com/docker/docker.9+incompatible Your code is affected by 3 vulnerabilities from 3 modules. This scan also found 3 vulnerabilities in packages you import and 2 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. cri-tools [ v1.29]