Vulnerabilities in the Prometheus image
Summary
A customer has raised a ticket to report concerns by their security team about vulnerabilities marked HIGH in the Prometheus image deployed by the GitLab helm chart.
chart=prometheus-15.0.4
prometheus-server:
Image: quay.io/prometheus/prometheus:v2.31.1
- CVE-2021-43816 and CVE-2022-23648 relating to containerd
-
values.yaml in the upstream chart doesn't specify a version, it comes from chart.yaml;
if not set appVersion field from Chart.yaml is used
- Locating the tag for this in the Github repo confirms that 15.0.4 shipped v2.31.1
- We ship Prometheus v2.38.0 with Omnibus, which would be between charts 15.14.0 and 15.15.0
Steps to reproduce
- Deploy the latest helm image
- Run container security scans.
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
(Paste sanitized configuration here)
Current behavior
High CVEs reported
Expected behavior
High CVEs not reported
Versions
- Chart: 6.6.0 (15.6.0)
Relevant logs
(Please provide any relevate log snippets you have collected, using code blocks (```) to format)