Security: Fix for 19 CVEs in argo-rollouts #4542
Description
Checklist:
- I've included steps to reproduce the bug.
- I've included the version of argo rollouts.
Summary
This issue addresses 19 security vulnerabilities found in the argo-rollouts container image during security scanning. Immediate attention is required for critical and high-severity vulnerabilities.
| Severity | Count |
|---|---|
| 🔴 Critical | 1 |
| 🟠 High | 3 |
| 🟡 Medium | 13 |
| 🟢 Low | 2 |
| Total | 19 |
| (7 OS packages + 12 Go binary packages) |
Critical Vulnerabilities (Immediate Action Required)
| CVE | Package | Current Version | Fixed Version | CVSS | Impact |
|---|---|---|---|---|---|
| CVE-2024-45337 | golang.org/x/crypto | v0.27.0 | 0.31.0 | 9.1 | Cryptographic vulnerability in Go crypto library |
High Priority Vulnerabilities (Urgent Action Required)
| CVE/Advisory | Package | Current Version | Fixed Version | CVSS | Impact |
|---|---|---|---|---|---|
| GHSA-9763-4f94-gfch | github.com/cloudflare/circl | v1.3.3 | 1.3.7 | N/A | Security advisory for Cloudflare CIRCL library |
| CVE-2025-22869 | golang.org/x/crypto | v0.27.0 | 0.35.0 | 7.5 | Additional crypto library vulnerability |
| CVE-2024-10220 | k8s.io/kubernetes | v1.29.3 | 1.29.7+ | 8.1 | Kubernetes security vulnerability |
Medium Priority Vulnerabilities
| CVE | Package | Current Version | Fixed Version | CVSS |
|---|---|---|---|---|
| CVE-2025-22870 | golang.org/x/net | v0.29.0 | 0.36.0 | 4.4 |
| CVE-2025-22872 | golang.org/x/net | v0.29.0 | 0.38.0 | 6.5 |
| CVE-2024-9042 | k8s.io/kubernetes | v1.29.3 | 1.29.13+ | 5.9 |
| CVE-2025-0426 | k8s.io/kubernetes | v1.29.3 | 1.29.14+ | 6.2 |
| CVE-2025-9230 | openssl (multiple packages) | 1:3.2.2-1.amzn2023.0.1 | 1:3.2.2-1.amzn2023.0.2 | 5.6 |
| CVE-2025-9231 | openssl (multiple packages) | 1:3.2.2-1.amzn2023.0.1 | 1:3.2.2-1.amzn2023.0.2 | 5.9 |
| CVE-2025-8869 | python3-pip-wheel | 21.3.1-2.amzn2023.0.13 | 21.3.1-2.amzn2023.0.14 | 5.3 |
Affected Components
🔧 Go Binary Dependencies (usr/bin/rollouts-controller)
- golang.org/x/crypto: Multiple vulnerabilities (CVE-2024-45337, CVE-2025-22869)
- golang.org/x/net: Network library vulnerabilities
- k8s.io/kubernetes: Multiple Kubernetes vulnerabilities
- github.com/cloudflare/circl: Cryptographic library issues
📦 OS Package Dependencies
- OpenSSL packages: Multiple packages affected (openssl, openssl-libs, openssl-fips-provider-latest)
- Python packages: pip-wheel vulnerability
Steps to Reproduce
Scan the images with scanner like Trivy.
Acceptance Criteria/Expectation
- All critical and high-severity (+ Medium, if possible) vulnerabilities resolved
- Security scan shows clean results for updated components
- No functional regressions introduced
- Release changes with new dependency versions
Version
v1.8.3