-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical CVE-2018-12976 found in latest docker image #704
Comments
Hi.
As a best practice, it is preferred to disclose CVEs to a security team versus a public issue. You can check out our disclosure steps at: https://www.influxdata.com/how-to-report-security-vulnerabilities/ I'll look at adding a reference to this document into this repo as well.
Which image and which version? As this repo maintains the images for multiple products include influxdb, telelgraf, etc. it would help to narrow this down. Thanks! |
Sorry for not following a procedure that I was unaware of. But it's not like this is exactly secret. All I did was download your :latest image from your dockerhub and uploaded it to AWS' ECR whereupon they scanned it, as they do all images, and the report found the CVE. This is a fairly common procedure and one that anyone can easily do. The Dockerfile I used to build and push the image looks like:
So that would be version 2.7.1 |
The CVE in question references github.com/golang/gddo. This package is imported in InfluxDB in the go.mod and used by http/telegraf.go specifically github.com/golang/gddo/httputil module with one call to As mentioned in the security announcement it appears to only affect users running their own instance of gddo, which InfluxDB is not doing. I will pass this on to our security team and get a response. |
Thanks for the response. I guess it's ok to have a potential vulnerability in code which you import and never use. I will annotate my SOC-2 compliance report with this detail. |
Sorry for the delay. @powersj's analysis is correct. While |
Hi, Thanks and really appreciate the help. -Gavin |
I've recently downloaded the latest docker image and uploaded it to AWS' ECR which scans it for vulnerabilities. It found CVE-2018-12976
It would be nice if this was fixed.
Looking in the CVE database it seems like there was a patch released to fix this, https://nvd.nist.gov/vuln/detail/CVE-2018-12976 so I expect it can be easily remedied by updating the base o/s of the container.
The text was updated successfully, but these errors were encountered: