Vulnerability CVE-2023-44487 in NGINX 1.21.6 reported for controller-v1.9.6 #11473
Comments
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/close Please use version 1.10 |
|
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Thank you for the reply, but version 1.10 also uses nginx version 1.21.6 right? which still have the above vulnerability? |
|
No, it uses NGINX 1.25, please check the matrix table on README file |
Thank you. Is safe to use nginx 1.25.3 in production? because it is mentioned that it is not safe in this README |
|
It is safe |
What scanner and version reported the CVE?
Protecode scanner
What CVE was reported in the scanner findings?
CVE-2023-44487
What versions of the controller did you test with?
controller-v1.9.6
We are facing CVE-2023-44487 being reported in our recent Protecode scans. The nginx version used is 1.21.6 and in the issue #10768 it is mentioned that updating nginx to 1.25.3 or higher is needed to address this vulnerability. But I have seen in this README where it is stated not to use version 1.25.3.
Also the patch
nginx-1.21.4-http2.patchmentioned in the #10662 comment is already being applied.Could you please help to address this vulnerability without updating nginx to 1.25.3?
The text was updated successfully, but these errors were encountered: