golang and OpenSSL vulnerabilities detected in ld-relay:7.2.5 and ld-relay:7.3.1

[fredericdesroches]

Hello,

It appears ld-relay:7.2.5 and ld-relay:7.3.1 contains the following vulnerabilities as detected by our security scanning tool :

"golang-runtime","1.20.4","1.20.6","CVE-2023-29405","Exact match","0.0","2023-06-08T21:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","9.8"
"golang-runtime","1.20.4","1.20.6","CVE-2023-29404","Exact match","0.0","2023-06-08T21:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","9.8"
"golang-runtime","1.20.4","1.20.6","CVE-2023-29402","Exact match","0.0","2023-06-08T21:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","9.8"
"golang-runtime","1.20.4","1.20.6","CVE-2023-29403","Exact match","0.0","2023-06-08T21:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","7.8"
"golang-runtime","1.20.4","1.20.6","CVE-2023-29406","Exact match","0.0","2023-07-11T20:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","6.5"
"golang-runtime","1.20.4","1.20.6","CVE-2023-29409","Exact match","0.0","2023-08-02T20:15:00Z","2023-05-12T20:08:28Z","ldr","/layer.tar:usr/bin/ldr",","0.0"
"openssl","1.1.1t-r2","3.1.1","CVE-2023-2650","Exact match","0.0","2023-05-30T14:15:00Z","2023-03-28T14:15:00Z","libcrypto.so.1.1","/layer.tar:lib/libcrypto.so.1.1",","7.5"
"openssl","1.1.1t-r2","3.1.1","CVE-2023-2650","Exact match","0.0","2023-05-30T14:15:00Z","2023-03-28T14:15:00Z","libssl.so.1.1","/layer.tar:lib/libssl.so.1.1",","7.5"
"openssl","1.1.1t-r2","3.1.1","CVE-2023-3817","Exact match","0.0","2023-07-31T16:15:00Z","2023-03-28T14:15:00Z","libcrypto.so.1.1","/layer.tar:lib/libcrypto.so.1.1",","0.0"
"openssl","1.1.1t-r2","3.1.1","CVE-2023-3817","Exact match","0.0","2023-07-31T16:15:00Z","2023-03-28T14:15:00Z","libssl.so.1.1","/layer.tar:lib/libssl.so.1.1",","0.0"
"openssl","3.1.0-r4","3.1.1","CVE-2023-3446","Exact match","0.0","2023-07-19T12:15:00Z","2023-04-20T16:23:05Z","libcrypto.so.3","/layer.tar:lib/libcrypto.so.3",","5.3"
"openssl","3.1.0-r4","3.1.1","CVE-2023-3446","Exact match","0.0","2023-07-19T12:15:00Z","2023-04-20T16:23:05Z","libssl.so.3","/layer.tar:lib/libssl.so.3",","5.3"
"openssl","3.1.0-r4","3.1.1","CVE-2023-2975","Exact match","0.0","2023-07-14T12:15:00Z","2023-04-20T16:23:05Z","libcrypto.so.3","/layer.tar:lib/libcrypto.so.3",","5.3"
"openssl","3.1.0-r4","3.1.1","CVE-2023-2975","Exact match","0.0","2023-07-14T12:15:00Z","2023-04-20T16:23:05Z","libssl.so.3","/layer.tar:lib/libssl.so.3",","5.3"
"openssl","3.1.0-r4","3.1.1","CVE-2023-3817","Exact match","0.0","2023-07-31T16:15:00Z","2023-04-20T16:23:05Z","libcrypto.so.3","/layer.tar:lib/libcrypto.so.3",","0.0"
"openssl","3.1.0-r4","3.1.1","CVE-2023-3817","Exact match","0.0","2023-07-31T16:15:00Z","2023-04-20T16:23:05Z","libssl.so.3","/layer.tar:lib/libssl.so.3",","0.0"

A golang update and an alpine update could potentially fix these issues. They may not all be relevant. If so, please let us know and we will change their priority internally.

Thanks, Frederic

[louis-launchdarkly]

Hello @fredericdesroches, Alpine just released the latest image 3.18.3 today https://github.com/alpinelinux/docker-alpine/blob/1ff397d1b9e6872e19adc93d6ede0cb638a2418a/x86_64/Dockerfile, and I have a prepared bump for Go versions. We will release once we are able to build and verify the latest ld-relay image.

[fredericdesroches]

Hi @louis-launchdarkly, thank you for the quick update. v7.3.2 fixes most of the issue except CVE-2023-3817. I believe it is ok because CVE-2023-3817 doesn't appear to be "official" yet as it is "undergoing analysis and not all information is available"

If a fix is available any time soon, we will open another gh issue as we are tracking it internally.

I would consider this issue done.

Thanks again!

[louis-launchdarkly]

You are welcome. If CVE-2023-3817 becomes a real issue, the process would be the same - we will wait for Alpine to release a newer image and bump. Just to reassure you, Relay Proxy itself does not use OpenSSL, so the risk of using the ld-relay docker image will be low.

Fixed in 7.3.2.