[sdk] High Risk CVE with Kubernetes library inside KFP SDK

[revolutionisme]

Environment

• KFP version: 1.8.2
• KFP SDK version: 1.8.19
• All dependencies version:
  • kfp 1.8.19
  • kfp-pipeline-spec 0.1.16
  • kfp-server-api 1.8.5

Steps to reproduce

The library kubernetes version <20 (specifically 19.15.0) was detected in KFP SDK 1.8.19 and is vulnerable to CVE-2021-29923, which exists in kubernetes versions <25.3.0.

The vulnerability was found in the Pyup.io Safety DB with vendor severity: High (NVD severity: High).

This vulnerability has a known exploit available. Source: Github [1, 2].

The vulnerability can be remediated by updating the library to version 25.3.0 or higher currently there is a hard requirement for Kubernetes library version to be below 20 based on the requirements.txt in v1.8.19

Expected result

THE CVE's are resolved

Materials and Reference

---

Impacted by this bug? Give it a 👍.

[afk42]

We are also impacted by this. Is there any feedback regarding this issue?

[connor-mccarthy]

This will be released in 1.8.20: https://github.com/kubeflow/pipelines/blob/17cdf6b60e1a433e45706c1891b73c068d7413e8/sdk/RELEASE.md#bug-fixes-and-other-changes. Closing, as source code is checked in.

[magdalenakuhn]

This will be released in 1.8.20: https://github.com/kubeflow/pipelines/blob/17cdf6b60e1a433e45706c1891b73c068d7413e8/sdk/RELEASE.md#bug-fixes-and-other-changes. Closing, as source code is checked in.

@connor-mccarthy this is great news, thanks! Do you know when v1.8.20 will be released?

[connor-mccarthy]

@magdalenakuhn, we should be able to release 1.8.20 by end of next week at the latest, but likely sooner.

[connor-mccarthy]

@magdalenakuhn, 1.8.20 is released.