search

cilium / cilium

eBPF-based Networking, Security, and Observability
https://cilium.io
Apache License 2.0
20.01k stars 2.94k forks source link

Reduce attack surface in the container by deduplicating TLS libraries #8760

Open nr17 opened 5 years ago

nr17 commented 5 years ago

Proposal / RFE

Is your feature request related to a problem? Having multiple libraries in a container can increase the attack surface, especially when libraries are upgraded to resolve security vulnerabilities. This can happen if for some reason, one version is upgraded and the other one is not.

Currently, cilium container contains multiple TLS libraries (GnuTLS and OpenSSL)

ii  libgnutls30:amd64             3.5.18-1ubuntu1          amd64        GNU TLS library - main runtime library
root@6b9e3d49dc4d:~# dpkg -l  | grep open
ii  openssl                       1.1.0g-2ubuntu4.3        amd64        Secure Sockets Layer toolkit - cryptographic utility`

Describe the solution you'd like We should eliminate one of the libraries from the container.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] commented 5 years ago

This issue has not seen any activity since it was marked stale. Closing.