eli-kaplan
commented
3 years ago Note that the runc issue is referenced in a prior PR (https://github.com/hashicorp/vault/pull/10903) but it does not look like there was any resolution.
Closed eli-kaplan closed 3 years ago
eli-kaplan
commented
3 years ago Note that the runc issue is referenced in a prior PR (https://github.com/hashicorp/vault/pull/10903) but it does not look like there was any resolution.
ncabatoff
commented
3 years ago Hi @eli-kaplan ,
Thanks for bringing this to our attention.
Regarding the runc vulnerabilities you describe: all we use runc for is to launch containers in our CI to simulate systems we integrate with, e.g. the postgresql storage engine and secrets engine tests use PG docker containers to have something to talk to. So it's not actually linked into the vault binary.
It looks to be much the same situation with hcsshim. As far as I know that's just another docker dependency.
Re go-metrics: we're using 0.3.7, I'm not sure where you see v0.3.3. Regardless, it only uses protobuf for a test from what I can tell.
Incidentally, if you have Go installed, you can use go mod why -m to look at packages we depend on and see who's using them. For example:
ncc-C02XH4S9JHD3:vault ncc$ go mod why -m github.com/Microsoft/hcsshim
# github.com/Microsoft/hcsshim
github.com/hashicorp/vault/helper/testhelpers/docker
github.com/docker/docker/pkg/archive
github.com/docker/docker/pkg/system
github.com/Microsoft/hcsshim/osversionPlease note that I'm not saying all this to justify not upgrading to newer releases of these packages. We absolutely should, and we will. I'm just reassuring you that there's no security issue I can see associated with our not having done so yet.
On a side note, I think the obstacles that prevented #10903 from upgrading runc are now gone, and I'm hopeful that in the coming weeks we'll finally upgrade some of these older dependencies.
I'm going to close this issue because I believe it will be addressed by other outstanding PRs and internal tickets, but feel free to re-open if you think I've missed something.
dimalinux
commented
2 years ago I know this issue is closed, but a lot of time has passed and the vault sdk library (latest v0.4.1) is still depending on the vulnerable github.com/gogo/protobuf@v1.1.1 library. It may not be exploitable, but it still sets off security alarms for people developing vault plugins.
The problematic line is here: https://github.com/hashicorp/vault/blob/sdk/v0.4.1/sdk/go.mod#L6
Here's the dependency trace in my project:
$ go mod graph | grep github.com/gogo/protobuf@v1.1.1
github.com/prometheus/common@v0.4.1 github.com/gogo/protobuf@v1.1.1
# Using a leading space in the grep to get right-hand-side matches
$ go mod graph | grep ' github.com/prometheus/common@v0.4.1'
github.com/prometheus/client_golang@v1.0.0 github.com/prometheus/common@v0.4.1
$ go mod graph | grep ' github.com/prometheus/client_golang@v1.0.0'
github.com/prometheus/common@v0.9.1 github.com/prometheus/client_golang@v1.0.0
$ go mod graph | grep ' github.com/prometheus/common@v0.9.1'
[... other go-metrics deps ...]
github.com/armon/go-metrics@v0.3.9 github.com/prometheus/common@v0.9.1
$ go mod graph | grep ' github.com/armon/go-metrics@v0.3.9'
github.com/hashicorp/vault/sdk@v0.4.1 github.com/armon/go-metrics@v0.3.9
Describe the bug The
vault/sdkpackage depends onruncv0.1.1, which is subject to a number of high-severity CVEs:These are all fixed in the latest available version of
runc, which at the time of writing is v1.0.0-rc95.Additionally,
vault/sdkdepends on an outdated version ofMicrosoft/hcsshim(v0.8.9), which itself usesgogo/protobufv1.3.1, which is subject to CVE-2021-3121. Updatinghcsshimto the latest release, v0.8.20, resolves this issue.Further, there are a couple of deeper transitive dependencies on older vulnerable versions of
gogo-protobuf(same CVE), via the following dependencies:armon/go-metrics:v0.3.3Microsoft/hcsshim:v0.8.9- as listed above, this one has a direct dependency ongogo-protobuf, which is resolved in the latest version. However, it also has a deep transitive dependency on an even earlier version ofgogo-protobuf, and it is unclear whether this is resolved as well.To Reproduce Problem exists in both latest master as well as latest release tag (sdk/v0.2.0).
Expected behavior Ideally, dependencies should be updated to avoid vulnerabilities when they are discovered.
Environment: N/A
Additional context N/A
Let me know if this issue report is mis-categorized or if I should direct it elsewhere.