Why does my AKS cluster i just deployed has lots of vulnerabilities after running a WIZ scan

Fobuzie, Marleo 0 Reputation points
2024-06-20T20:08:19.2466667+00:00

We recently deployed a private AKS cluster 1.28.5 version. Cluster is not yet configured.

We installed Helm and then ran a WIZ scan to identify vulnerabilities.

Several vulnerabilities were identified, please see screenshot below.

Was wondering were these vulnerabilities are from and how to resolve them.

User's image

Header 1 Header 2
Cell 1 Cell 2
Cell 3 Cell 4
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,983 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Anveshreddy Nimmala 3,460 Reputation points Microsoft Vendor
    2024-06-21T05:06:43.5133333+00:00

    Hello Fobuzie, Marleo.

    Welcome to microsoft Q&A, thankyou for posting your query here.

    Please refer to https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli for Microsoft's documentation on supported Kubernetes versions in AKS.

    If the version of 1.28.5 that is still supported is getting close to its end of life (EOL), you might want to update to 1.28.x, which is the most recent patch, instead. You might also consider updating to a more recent minor version (like 1.29.y), but make sure it works with your workloads first.

    You should be able to fix the CVE-2022-44840 vulnerability in your AKS cluster by doing the following steps.

    Using the package manager compatible with your operating system, update Helm to the most recent version.

    The package versions that you utilized in your container images appear to be connected to the vulnerabilities, based on error images.

    The error explains how to update the packages to specific versions in order to solve the vulnerabilities:

    perl-base to version 5.30.0-9ubuntu0.5 or higher

    libssl1.1 to version 3.0.8-1 or higher

    Updates to fixed versions of libc6 and libssl1.1 can resolve vulnerabilities.

    RUN apt upgrade libc6 libssl1.1

    RUN apt upgrade binutils-common

    Hope this helps you.