Multiple vulnerabilities found in Docker image v6.7.7 #191
Comments
|
Thanks for this report. We're looking into these items and will respond shortly. |
|
The first six items, representing three vulnerabilities shared by |
|
CVE-2022-1650, shown in this list as a vulnerability of "eventsource v1.7.1", does not make sense to us in this context; we suspect there may be an error in the CVE database used by Black Duck, or in the logic it uses for determine which database entries are applicable. The CVE's description (and the linked huntr.dev report) says it is about "GitHub repository eventsource/eventsource prior to v2.0.2". But https://github.com/eventsource/eventsource is a JavaScript library, and it is not referenced in any way in the Relay Proxy application (which contains no JavaScript code), or, as far as we can tell, by any other code in the ld-relay Docker image. So, while that CVE does seem plausible in itself in regard to that repository (whose most recent version is 2.0.2), it seems out of place here. The Relay Proxy code does use an unrelated Go library (that is, unrelated in terms of implementation and platform; it is for a related purpose), https://github.com/launchdarkly/eventsource. And v1.7.1 is the version we are using of that, so the the Black Duck listing does seem to be referencing that version, but the actual CVE is clearly not referring to that. It's unclear whether there is any change we could make that would make Black Duck stop reporting it, since there is no such thing as a v2.0.2 version of the library we're using. We'll continue to investigate this and, if it is an error by the scanner, we'll do our best to make Synopsys aware of it. Unfortunately, our last attempt to make them aware of a different error via their support forum (here) never received a response. |
|
Finally, regarding the OpenSSL vulnerability CVE-2022-1292, we believe this is not relevant to the Relay Proxy because the Go runtime uses its own TLS implementation rather than using OpenSSL. But since scanners will flag this as long as it is present in Alpine, we should update to an Alpine patch version that has newer versions of libcrypto/libssl— or, if no such patch is available, we will patch those libraries separately. |
|
To sum up: we don't believe any of these to represent real security vulnerabilities in a running Relay Proxy container, but we do intend to release a patch soon that should make the curl and OpenSSL-related warnings disappear. The warning about eventsource, we believe to be invalid but we do not currently know of a way to stop the warning from happening. If it remains as a known problem, we will open a new issue here specifically about that, to clarify the situation for other customers who may be using Black Duck. |
|
@fredericdesroches We've released version 6.7.8 with patches for all of these warnings except the eventsource one. Could you verify that your scanner is no longer showing these with the new release? |
|
@eli-darkly Thank you very much for the swift response and analysis, very much appreciated! We will report the We will be upgrading to v6.7.8 as it patches the curl and openssl vulnerabilities. It does, however, bring a new vulnerability with busybox : It does seem to apply very much unless ld-relay uses Thank you again, Frederic |
|
Ugh, that's unfortunate about the busybox warning. That must be a CVE that exists in Alpine 3.16.0 and did not exist in 3.14.6— and there are no patches for 3.16.x yet, and I don't think it is possible to patch busybox separately since it's a core component of Alpine. But I think you're right that it is not relevant to Relay Proxy usage; the Docker image runs our It's also unfortunate that apparently Trivy— which is what we use for prerelease scanning, as well as re-scanning existing code for newly reported vulnerabilities— is not able to detect this vulnerability; normally we've been able to rely on Trivy for all CVEs related to things in the OS, it was just that it had a more limited ability to detect things inside Go code. |
|
We will keep an eye out for any Alpine 3.16.x patch and update to it as soon as available. |
|
Well, maybe it would be best for us to put out another patch which rolls the Alpine version back, and just separately updates the libcrypto and openssl packages. Using a newer Trivy that understands how to scan Alpine 3.16 (it looks to me like there was a lag in them implementing this, causing false negatives for that version), other CVEs showed up— again not ones that would plausibly affect the Relay Proxy, but still, we would rather be using a more thoroughly patched OS on principle. |
|
Unfortunately Alpine still has not released a patch for 3.16.0. |
|
Hi @eli-darkly, what shall we do here? Should we close the issue as all of the initial vulnerable libraries have been patched and track the busybox one in a separate issue, or continue tracking it here? Thanks, Frederic |
|
I'm fine with leaving this issue open; that makes it easier for anyone who noticed the same thing to track the work that's been done so far. |
|
By the way, the open issue for patching busybox in Alpine 3.16 is here: alpinelinux/docker-alpine#264 |
|
Alpine 3.16.1 is out now and the release notes say that it fixes CVE-2022-30065; unfortunately, that turned out not to be accurate. It does not seem to be possible to patch the affected package directly (see link in my previous comment) so we will have to wait for 3.16.2 for that one. Once again, we do not see this as an actual vulnerability for a Relay Proxy instance, but we do want to make the warnings about this go away as soon as possible. |
|
We've released v6.7.11, which updates Alpine to 3.16.1. As mentioned in my previous comment, that patch may not actually have fixed this particular issue; at first Trivy was continuing to report the issue, and other developers have seen the same. However, Trivy is now saying the image is OK. The Alpine patch is desirable in any case. When you have a chance to try the new image, could you please let us know whether your own scanner is now happy with it or not? |
|
Hi @eli-darkly, Everything is under control with v6.7.11! I suppose we can close this now?
Thanks a lot for the effort, Frederic |
|
Great - I guess there was just some kind of security database glitch earlier that was making it look like Alpine 3.16.1 didn't fix the busybox issue. So we're good, until the next inevitable CVE. I'll close this now. |
Is this a support request?
No
Describe the bug
Hello, our open-source vulnerability scanner (Black Duck Binary Analysis) has detected 3 vulnerabilities in 3 libraries used by the ld-relay proxy.
Image used : https://hub.docker.com/layers/ld-relay/launchdarkly/ld-relay/6.7.7/images/sha256-b301c72e186dd63557b91a2bbe1f004c5f4bc8527f85441c6abe03a4283903b2?context=explore
To reproduce
Scan docker image with Black Duck Binary Analysis
Expected behavior
ld-relay proxy should not contain vulnerable libraries. If not patchable, we would require an explanation as to why these vulnerabilities are not as severe as they look.
Logs
N/A
SDK version
N/A
Language version, developer tools
N/A
OS/platform
N/A
Additional context
N/A
The text was updated successfully, but these errors were encountered: