Skip to content

ITEP-73107: fix CVE-2025-4565 in Controller image #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 8, 2025
Merged

ITEP-73107: fix CVE-2025-4565 in Controller image #244

merged 12 commits into from
Aug 8, 2025

Conversation

@jdanieck
Copy link
Contributor

@jdanieck jdanieck commented Aug 1, 2025
edited
Loading

📝 Description

Trivy image scan discovered CVE-2025-4565 in the Controller image. The protobuf package is pulled in indirectly by vdms.

The proper fix requires protobuf dependency update in the vdms and vdms upgrade on our side. Looking at the vdms repo we can see both the IntelLabs/vdms#298 issue and the IntelLabs/vdms#299 PR which are not resolved since Jun 17.

This PR overrides the protobuf package after vdms installation. Minor version upgrade is expected to be backward compatible, hence it should be safe to upgrade. That said it requires running regression tests on our end to make sure everything is still working fine.

$ trivy image scenescape-controller:1.4.0-rc1 -s CRITICAL,HIGH
...
Python (python-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬─────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                          Title                          │
├─────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼─────────────────────────────────────────────────────────┤
│ protobuf (METADATA) │ CVE-2025-4565 │ HIGH     │ fixed  │ 4.24.2            │ 4.25.8, 5.29.5, 6.31.1 │ python-protobuf: Unbounded recursion in Python Protobuf │
│                     │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2025-4565               │
└─────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴─────────────────────────────────────────────────────────┘

$ docker run --entrypoint python3 -it --rm scenescape-controller-test:1.4.0-rc1 -m pipdeptree --reverse --packages protobuf
------------------------------------------------------------------------
protobuf==4.24.2
└── vdms==0.0.21 [requires: protobuf==4.24.2]

✨ Type of Change

Select the type of change your PR introduces:

  • 🐞 Bug fix – Non-breaking change which fixes an issue
  • 🚀 New feature – Non-breaking change which adds functionality
  • 🔨 Refactor – Non-breaking change which refactors the code base
  • 💥 Breaking change – Changes that break existing functionality
  • 📚 Documentation update
  • 🔒 Security update
  • 🧪 Tests
  • 🚂 CI

🧪 Testing Scenarios

Describe how the changes were tested and how reviewers can test them too:

  • ✅ Tested manually
  • 🤖 Ran automated end-to-end tests

✅ Checklist

Before submitting the PR, ensure the following:

  • 🔍 PR title is clear and descriptive
  • 📝 For internal contributors: If applicable, include the JIRA ticket number (e.g., ITEP-123456) in the PR title. Do not include full URLs
  • 💬 I have commented my code, especially in hard-to-understand areas
  • 📄 I have made corresponding changes to the documentation
  • ✅ I have added tests that prove my fix is effective or my feature works

@jdanieck jdanieck self-assigned this Aug 1, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 1, 2025
View reviewed changes
jdanieck
jdanieck commented Aug 1, 2025
View reviewed changes
controller/Dockerfile
# WORKAROUND: Force upgrade protobuf to a secure version, even though vdms pins an older version.
# This may break vdms if it is not compatible with newer protobuf, but is required to fix CVE-2025-4565.
# Remove this when vdms supports a secure protobuf version.
RUN pip3 install --break-system-packages --upgrade --no-cache-dir 'protobuf>=4.25.8'
Copy link
Contributor Author

@jdanieck jdanieck Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jjarquin I was given your name by @tdorauintc. Is there any way you can help us with vdms update ?

@jdanieck jdanieck marked this pull request as ready for review August 1, 2025 10:32
@saratpoluri saratpoluri changed the base branch from release-1.4.0-rc1 to release-1.4.0 August 8, 2025 00:56
@jdanieck jdanieck enabled auto-merge (squash) August 8, 2025 15:01
@jdanieck jdanieck merged commit ea04869 into release-1.4.0 Aug 8, 2025
24 of 25 checks passed
@jdanieck jdanieck deleted the fix-cve-2025-4565 branch August 8, 2025 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Irakus Irakus Irakus approved these changes

@tdorauintc tdorauintc tdorauintc approved these changes

@saratpoluri saratpoluri Awaiting requested review from saratpoluri

Assignees

@jdanieck jdanieck

Labels

v1.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jdanieck @Irakus @tdorauintc @saratpoluri @sarthakdeva-intel