Amazon Inspector is detecting GO and CoreDNS vulnerabilities in consul version 1.11.4

[andrew-solace]

Overview of the Issue

Amazon Inspector is detecting GO and CoreDNS vulnerabilities in consul version 1.11.4

Reproduction Steps

Steps to reproduce this issue, eg:

1. Upload a container containing the prebuild version of consul to ECR
2. Configure Amazon Inspector to run on image

Consul info for both Client and Server

version 1.11.4

Operating system and Environment details

UBI 8

Log Fragments

CVE-2020-26160 - github.com/dgrijalva/jwt-go, github.com/dgrijalva/jwt-go A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

CVE-2022-28948 - gopkg.in/yaml.v3, gopkg.in/yaml.v3 A flaw was found in the Unmarshal function in Go-Yaml. The issue causes the program to crash when attempting to deserialize invalid input.

gopkg.in/yaml.v3 is a YAML support package for the Go language. Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing #\n-\n-\n0 via the parserc.go parser.

GHSA-gv9j-4w24-q7vx - github.com/coredns/coredns, github.com/coredns/coredns

Impact CoreDNS before 1.6.6 (using go DNS package < 1.1.25) improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries. ### Patches The problem has been fixed in 1.6.6+. ### References - CVE-2019-19794 ### For more information Please consult our security guide for more information regarding our security process.

[andrew-solace]

I have also tested with 1.13.2 using the consul image in github, and there are still two issues:

https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714 and https://github.com/advisories/GHSA-gv9j-4w24-q7vx