Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-5754

mender client and mender-connect should switch to go 1.17.10+ for CVE-2022-29526

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.1, 3.4.0
    • Labels:
    • Story Points:
      2
    • Backlog:
      yes
    • Days in progress:
      0

      Description

      mender client and mender-connect, as published via APT (per https://docs.mender.io/downloads#install-using-the-apt-repository) are built with go v1.17.6, which per CVE-2022-29526 has a vulnerability. While I'm not certain if mender is actually affected by the vulnerability, I do know that both Docker Hub Vulnerability Scanning and Trivy flag this vulnerability in both stable (client 3.3.0-1 / connect 2.0.2-1) and experimental (client 3.4.0 / connect 2.1.0) which makes it hard to use mender anywhere that needs static scans to pass:

      ┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────┐
      46│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                     Title                     │
      47├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
      48│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM   │ v0.0.0-20211124211545-fe61309f8881 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
      49│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526    │
      50└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────┘
      51
      52usr/bin/mender-connect (gobinary)
      53=================================
      54Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
      55
      56┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────┐
      57│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                     Title                     │
      58├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
      59│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM   │ v0.0.0-20200116001909-b77594299b42 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
      60│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526    │
      61└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────┘
      

        Attachments

          Activity

            People

            Assignee:
            tranchitella Fabio Tranchitella
            Reporter:
            shaunco Shaun C
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: