Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability warnings in ld-relay 6.7.10 Docker image #197

Closed
eli-darkly opened this issue Jul 20, 2022 · 1 comment
Closed

vulnerability warnings in ld-relay 6.7.10 Docker image #197

eli-darkly opened this issue Jul 20, 2022 · 1 comment

Comments

@eli-darkly
Copy link
Contributor

eli-darkly commented Jul 20, 2022
edited
Loading

LD has opened this issue to let everyone know that we're aware of the following vulnerabilities being flagged by security scanners on our Docker image, and we will release a patch version of the Docker image to address these as soon as possible.

It's our policy to make any necessary dependency/platform updates for such issues no matter what, but we also look into the details to determine how much of an actual risk these represent, if any, to Relay Proxy installations that are currently running. Here is our analysis:

CVE-2022-30065: This is a vulnerability in the awk tool included in the Alpine Linux distribution that our Docker image uses. We do not believe this affects Relay Proxy instances, which never invoke awk; it would only be invoked if an attacker were already able to execute arbitrary commands in the container. (This was one of the CVEs previously mentioned in #191)

CVE-2022-21698: A vulnerability in the Prometheus metrics integration. We do not believe this affects Relay Proxy instances, even if Prometheus metrics are enabled, because the Relay Proxy does not use the Prometheus client in the ways mentioned in the CVE description. It definitely cannot affect Relay Proxy instances that do not have Prometheus metrics enabled.

CVE-2021-44716: A vulnerability in the Go runtime's implementation of HTTP/2. Maliciously crafted HTTP requests could cause uncontrolled memory consumption.

CVE-2022-29526: A Go runtime bug that has no obvious security implications (the symptom appears to be that an application might wrongly think it has permission to access a file, but that the file would still really not be accessible), but in any case should not affect Relay Proxy instances since this API is not being used.
Merged
@eli-darkly
Copy link
Contributor Author

The 6.7.11 release fixes these issues— except possibly for CVE-2022-30065; there are reports that some security scanners do not consider this to be fixed in Alpine 3.16.1, even though according to our own latest sans, it is. We will continue to monitor for reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eli-darkly