Multiple vulnerabilities found in Docker image v6.7.13

[fredericdesroches]

Is this a support request?
No

Describe the bug
Hello, our open-source vulnerability scanner (Black Duck Binary Analysis) has detected vulnerabilities in libraries used by the ld-relay proxy.

Image used : https://hub.docker.com/layers/launchdarkly/ld-relay/6.7.13/images/sha256-cf8a6c8a7278f88a9566e243fd28b5f525b47e43336275a306265700662fcab6?context=explore

"Component","Version","Latest version","CVE","Matching type","CVSS","CVE publication date","Object compilation date","Object","Object full path","Object SHA1","CVSS3","CVSS vector (v2)","CVSS vector (v3)","Distribution package","CVSS (Distribution)","CVSS3 (Distribution)","Triage vectors","Note type","Note reason","Vulnerability URL","Missing exploit mitigations"
"consul","v1.12.0","v1.14.0-beta1","CVE-2022-40716","Exact match","0.0","2022-09-23T12:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","6.5","","AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","http://nvd.nist.gov/vuln/detail/CVE-2022-40716",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-41715","Exact match","0.0","2022-10-14T15:16:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-41715",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-32189","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-32189",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-30635","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-30635",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-30633","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-30633",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-30632","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-30632",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-30631","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-30631",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-30630","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-30630",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-2880","Exact match","0.0","2022-10-14T15:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","http://nvd.nist.gov/vuln/detail/CVE-2022-2880",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-2879","Exact match","0.0","2022-10-14T15:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-2879",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-28131","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-28131",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-27664","Exact match","0.0","2022-09-06T18:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","7.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-27664",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-32148","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","6.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","http://nvd.nist.gov/vuln/detail/CVE-2022-32148",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-1705","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","6.5","","AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","http://nvd.nist.gov/vuln/detail/CVE-2022-1705",""
"golang-runtime","1.17.11","1.19.2","CVE-2022-1962","Exact match","0.0","2022-08-10T20:15:00Z","2022-08-12T19:18:42Z","ldr","modelt_launchdarkly_ld-relay:6.7.13.tar:24319d127bc3f382b2335efe8e8edc84e08f5be53d58ba1873dc2518e450ba94/layer.tar:usr/bin/ldr","db97d38611772d92fbcc21efa213d56d089ef2c0","5.5","","AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","http://nvd.nist.gov/vuln/detail/CVE-2022-1962",""

To reproduce
Scan docker image with Black Duck Binary Analysis

Expected behavior
Our security policy mandates that ld-relay proxy should not contain vulnerable libraries. We understand not everything is applicable. If something is not, it would be appreciated if a short explanation is provided (ie consul detection).

Logs
N/A

SDK version
N/A

Language version, developer tools
N/A

OS/platform
Alpine

Additional context
N/A

Thanks!

[eli-darkly]

Thanks for filing this - we got a similar scan result recently, but had been slow in posting an issue as we normally would do.

The ones related to the Go runtime should be straightforward to address in a patch release. Our analysis of the specific CVEs listed here is that for the most part, they apply to Go features that are never used by the Relay Proxy (the scanner does not look at whether the vulnerable APIs are ever called; it simply flags the entire overall version of the Go runtime as vulnerable), but a few of them represent real potential resource-exhaustion attacks, specifically in a case where the "offline mode" feature is being used and Relay is configured to use a maliciously crafted offline data archive. In any case, regardless of whether these are plausible vulnerabilities, we will address them with high priority by updating the Go runtime version in the Docker image.

The one for Consul is harder, because it is not actually a vulnerability in the Consul client library we're using; it's a known issue with Black Duck (and possibly with other products that use a similar data set, but Black Duck is the one we've consistently heard about) where it is mistakenly treating the Consul client as if it were the same version number of the Consul server. For more about this, please see hashicorp/consul#10674 and launchdarkly/go-server-sdk-consul#9. In the past we've sometimes been able to work around this by updating to a Consul client version that does not happen to have the same version string as a vulnerable version of the Consul server, but I'm not sure such a version exists at the moment. In any case, the short answer for CVE-2022-40716 is that the scanner is mistakenly flagging a thing that is not actually in the Relay Proxy at all (it's clear in the CVE description that it is talking about the Consul server).

[eli-darkly]

By the way, if you are able to bring the Consul thing to the attention of Synopsys as a support issue for Black Duck, that would be very helpful. We have tried in the past to contact Synopsys about this, but didn't get any response, and as we're not a customer of theirs, we don't have a support channel.

[eli-darkly]

Well, we're in luck at the moment because the latest version of the Consul client API module is higher than all existing versions of the Consul server, therefore it can't have any false-positive reports of server vulnerabilities. So, we should be able to get rid of all of the current CVE reports in the upcoming Relay Proxy patch release.

[eli-darkly]

These should be fixed in the 6.7.14 release. Please let us know when you've had a chance to retest with that version.

[fredericdesroches]

Hi @eli-darkly,

Everything looks good! Thanks a lot for the swift reaction! We will create a support ticket for the consul server false detection. It is as annoying for you as it is for us.