Critical Vulnerability Detected by Vulnerability Scanner

[nomadicoder]

We have deployed Omeka-S to our institution's Kubernetes hosting service. When we construct our Kubernetes image to upload, we must have it scanned for vulnerabilities with Trivy. However, recently Trivy detected that laminas/laminas-http version 2.13.0 is critically vulnerable from CVE-2021-3007 which is a remote execution vulnerability. For the next release, this package should be upgraded to version 2.14.2 or higher.

[zerocrates]

Hello,

We're aware of the CVE on laminas-http. There's some complications here, the main one being that the upstream laminas-http project doesn't identify this as a serious security bug (despite the high score, it kind of isn't: it's something that can only be triggered if an application is already improperly unserializing untrusted content). Because of that, they didn't backport their fix, so the fix is available only on a newer version which raises the PHP requirement. So it's not entirely simple for us to include this in a minor release.

We will pull in the change, but it will probably be on a future version that increases the minimum PHP requirement across the board, and includes PHP 8.1 support. We have sooner releases planned but as they won't increase the minimum PHP requirement, they won't include this update.

[nomadicoder]

Thank you for addressing my concern. We recently began using Snyck to scan for vulnerabilities for our Kubernetes deploys, and the issue is not flagged as serious. So I think your reply and our new means of scanning for vulnerabilities has relived much of my concern.

[zerocrates]

We've updated to a version of laminas-http that includes this fix on the develop branch.

Note: there's not a released version yet that has that updated version... it will like be in Omeka S 4.0.0.