search

krakend / krakend-ce

KrakenD Community Edition: High-performance, stateless, declarative, API Gateway written in Go.
https://www.krakend.io
Apache License 2.0
2.01k stars 454 forks source link

Krakend 2.4.6 new vulnerabilities: GHSA-m425-mq94-257g (HIGH), CVE-2023-44487 (MEDIUM), CVE-2023-5363 (MEDIUM) #811

Closed ksylvan closed 1 year ago

ksylvan commented 1 year ago

Environment info:

Describe the bug

$ alias trivy_simple='mkdir -p /tmp/trivy-cache; docker run --rm -it -v /tmp/trivy-cache:/root/.cache -v /var/run/docker.sock:/var/run/docker.sock  aquasec/trivy image'
$ trivy_simple devopsfaith/krakend:2.4.6
2023-11-05T07:12:46.738Z        INFO    Vulnerability scanning is enabled
2023-11-05T07:12:46.738Z        INFO    Secret scanning is enabled
2023-11-05T07:12:46.738Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-05T07:12:46.738Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-11-05T07:12:54.350Z        INFO    Detected OS: alpine
2023-11-05T07:12:54.350Z        INFO    Detecting Alpine vulnerabilities...
2023-11-05T07:12:54.352Z        INFO    Number of language-specific files: 1
2023-11-05T07:12:54.352Z        INFO    Detecting gobinary vulnerabilities...

devopsfaith/krakend:2.4.6 (alpine 3.18.4)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                     Title                     │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM   │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363     │
├────────────┤               │          │        │                   │               │                                               │
│ libssl3    │               │          │        │                   │               │                                               │
│            │               │          │        │                   │               │                                               │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────┘

usr/bin/krakend (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                             │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ v1.53.0           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                     │
│                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g            │
│                        ├─────────────────────┼──────────┤        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-44487      │ MEDIUM   │        │                   │ 1.58.3, 1.57.1, 1.56.3 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│                        │                     │          │        │                   │                        │ attack (Rapid...                                             │
│                        │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘

Expected behavior No vulnerabilities found.

ksylvan commented 1 year ago

Added this issue to alpine base image: https://github.com/alpinelinux/docker-alpine/issues/352

alombarte commented 1 year ago

Thank you @ksylvan ,

These are false positives from Trivy, which simply makes a list of vulnerabilities based on the included libraries.

1) libcrypto3 from Alpine is not used by KrakenD at all 2) It is impossible to do a HTTP/2 Rapid Reset vulnerability attack on gRPC because we don't expose gRPC.

In any case, the next release, which is super close to release will remove these from the scans.

github-actions[bot] commented 9 months ago

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.