Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(plugin-keychain-vault): fix CVE-2024-0553 in vault server image #3065

Conversation

petermetz
Copy link
Contributor

  1. The solution here was to migrate the image from Debian to Ubuntu
    because it seems to not have the same vulnerabilities as the lastest
    stable Debian image does, so the change itself is to move to Ubuntu 24.04
    LTS.
  2. Also upgraded the Rust toolchain to the current latest which mandated
    a couple of small code changes that are also added in this commit.

The original security report from Trivy that we've discoverd on the CI:

┌─────────────┬───────────────┬──────────┬───────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │
├─────────────┼───────────────┼──────────┼───────────────────┤
│ libgnutls30 │ CVE-2024-0553 │ HIGH │ 3.6.7-4+deb10u11 │
│ │ │ │ │
└─────────────┴───────────────┴──────────┴───────────────────┘
...
┬──────────────────┬───────────────────────────────────────────┐
│ Fixed Version │ Title │
┼──────────────────┼───────────────────────────────────────────┤
│ 3.6.7-4+deb10u12 │ gnutls: incomplete fix for CVE-2023-5981
│ │ https://avd.aquasec.com/nvd/cve-2024-0553
┴──────────────────┴───────────────────────────────────────────┘

Signed-off-by: Peter Somogyvari [email protected]

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@petermetz petermetz enabled auto-merge (rebase) March 7, 2024 08:31
@petermetz petermetz changed the title Fix-cve-2024-0553-ghcr-keychain-vault-server fix(plugin-keychain-vault): fix CVE-2024-0553 in vault server image Mar 7, 2024
@VRamakrishna
Copy link
Contributor

FYI, the Weaver Relay is built on Rust 1.69.0-slim-bullseye (see various Dockerfiles in https://github.com/hyperledger/cacti/tree/main/weaver/core/relay). Do we need to upgrade those too?

From what I understand, upgrading the Rust toolchain has nothing to do with the reported vulnerability, right?

@petermetz
Copy link
Contributor Author

FYI, the Weaver Relay is built on Rust 1.69.0-slim-bullseye (see various Dockerfiles in https://github.com/hyperledger/cacti/tree/main/weaver/core/relay). Do we need to upgrade those too?

From what I understand, upgrading the Rust toolchain has nothing to do with the reported vulnerability, right?

@VRamakrishna In general, I'd recommend upgrading, yes (unless there's some big blocker from doing so).

The vulnerabilities might not be related to the rust toolchain itself, but often I've seen situations where upgrading it is the only path anyway because the older rust versions ship with older base images of the underlying OS which then does have vulnerabilities baked into it.
The above scnario is not always the case (and I haven't looked into this particular image in detail to confirm or deny it either) but it does happen.

1. The solution here was to migrate the image from Debian to Ubuntu
because it seems to not have the same vulnerabilities as the lastest
stable Debian image does, so the change itself is to move to Ubuntu 24.04
LTS.
2. Also upgraded the Rust toolchain to the current latest which mandated
a couple of small code changes that are also added in this commit.

The original security report from Trivy that we've discoverd on the CI:

┌─────────────┬───────────────┬──────────┬───────────────────┐
│   Library   │ Vulnerability │ Severity │ Installed Version │
├─────────────┼───────────────┼──────────┼───────────────────┤
│ libgnutls30 │ CVE-2024-0553 │ HIGH     │ 3.6.7-4+deb10u11  │
│             │               │          │                   │
└─────────────┴───────────────┴──────────┴───────────────────┘
...
┬──────────────────┬───────────────────────────────────────────┐
│  Fixed Version   │                   Title                   │
┼──────────────────┼───────────────────────────────────────────┤
│ 3.6.7-4+deb10u12 │ gnutls: incomplete fix for CVE-2023-5981  │
│                  │ https://avd.aquasec.com/nvd/cve-2024-0553 │
┴──────────────────┴───────────────────────────────────────────┘

Signed-off-by: Peter Somogyvari <[email protected]>
@petermetz petermetz force-pushed the fix-cve-2024-0553-ghcr-keychain-vault-server branch from dcdc999 to 47ec317 Compare March 19, 2024 21:08
@petermetz petermetz merged commit 1eacf7e into hyperledger-cacti:main Mar 19, 2024
129 of 144 checks passed
@petermetz petermetz deleted the fix-cve-2024-0553-ghcr-keychain-vault-server branch July 9, 2024 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants