Incorrect vulnerability details for golang/github.com/hashicorp/consul (CVE-2022-29153 and CVE-2022-24687)

OSSIndex / vulns

Report missing advisories and corrections on OSS Index

17 stars 12 forks source link

Incorrect vulnerability details for golang/github.com/hashicorp/consul (CVE-2022-29153 and CVE-2022-24687) #282

Closed nc-mcarter closed 2 years ago

nc-mcarter commented 2 years ago

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/CVE-2022-29153
https://ossindex.sonatype.org/vulnerability/CVE-2022-24687

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/consul

Description

According to https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 "This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5." but the OSS Index still has the vulnerability against these versions and newer
And according to https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/35739 "This vulnerability, CVE-2022-24687, was fixed in Consul 1.9.15, 1.10.8, and 1.11.3." but again it's being reported for fixed versions

dnwe commented 2 years ago

Note that CVE-2022-29153 is also being incorrectly flagged on the latest versions of the api consul client module https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/consul/api@v1.13.0 which is an entirely separate module and the health checks CVE is in the main consul server module code only (Ref: https://github.com/hashicorp/consul/pull/12685)

ken-duck commented 2 years ago

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

ken-duck commented 2 years ago

During Deep Dive research we determined that the fix released in 1.9.17, 1.10.10, and 1.11.5 to be insufficient, as stated in the advisory deviation notice in the Explanation. Please see below:

Per the advisory released by the project, since versions v1.9.17, v1.10.10, and v1.11.5, it is possible to prevent HTTP health checks from following redirects by setting the disable_redirects option to true. However, since this option is set to false by default, the Sonatype security research team considers these versions vulnerable to SSRF.

This option is still set to false by default so the vulnerability is still exploitable using the default configuration.

We also determined during Deep Dive that the vulnerable code is present in the api module as well.

We are working on an OSS Index feature whereby "deviation" notices explaining why OSS Index has deviated from the CVE data will be made available.