search

1Password / connect

Access your 1Password secrets using a 1Password Connect Server
https://developer.1password.com/docs/connect
152 stars 29 forks source link

Critical Vulnerabilities in Connect images #48

Closed tim-fitzgerald closed 2 years ago

tim-fitzgerald commented 2 years ago

Hey folks,

Running docker scan on 1password/connect-api produces a report for two critical vulnerabilities as demonstrated blow:

✗ Critical severity vulnerability found in zlib/zlib1g
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-ZLIB-2976151
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > zlib/zlib1g@1:1.2.11.dfsg-2+deb11u1

✗ Critical severity vulnerability found in openssl/libssl1.1
  Description: OS Command Injection
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-OPENSSL-2933518
  Introduced through: ca-certificates@20210119, adduser@3.118
  From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u2 > openssl/libssl1.1@1.1.1n-0+deb11u2
  From: adduser@3.118 > shadow/passwd@1:4.8.1-1 > pam/libpam-modules@1.4.0-9+deb11u1 > libnsl/libnsl2@1.3.0-2 > libtirpc/libtirpc3@1.3.1-1 > krb5/libgssapi-krb5-2@1.18.3-6+deb11u1 > krb5/libkrb5-3@1.18.3-6+deb11u1 > openssl/libssl1.1@1.1.1n-0+deb11u2
  From: ca-certificates@20210119 > openssl@1.1.1n-0+deb11u2
  Fixed in: 1.1.1n-0+deb11u3

Given that Connect is closed source we cannot determine the contextual severity of either. Could we request that these two critical vulnerabilities be addressed (or ideally Connect be open sourced 😉 ).

kpcraig commented 2 years ago

Hey @tim-fitzgerald,

I just wanted to let you know we're looking into this and hope to have an update as soon as possible.

Thanks for raising this issue!

prasoon-pxc commented 2 years ago

Any Update on it?

kpcraig commented 2 years ago

Currently we're planning to roll the base image updates into the next point release, which should be soon, but I unfortunately don't have a precise ETA

kpcraig commented 2 years ago

Hello Tim,

I wanted to let you know that we've just pushed connect-api and connect-sync version 1.5.7 to Docker Hub, and in addition to a bugfix or two, it should also have cleared the critical and major vulnerabilities that docker scan detects.

Thank you again for raising this with us!

prasoon-pxc commented 2 years ago

Hi @kpcraig --> I just checked the 1-password helm chart and found that chart is still not updated to use connect images.

https://github.com/1Password/connect-helm-charts/blob/main/charts/connect/Chart.yaml#L14 Can we have updated helm chart for this also?

kpcraig commented 2 years ago

thanks for noting that, i'll look into it!