Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical CVE-2018-12976 found in latest docker image #704

Open
M-JobPixel opened this issue Sep 13, 2023 · 6 comments
Open

Critical CVE-2018-12976 found in latest docker image #704

M-JobPixel opened this issue Sep 13, 2023 · 6 comments

Comments

@M-JobPixel
Copy link

M-JobPixel commented Sep 13, 2023

I've recently downloaded the latest docker image and uploaded it to AWS' ECR which scans it for vulnerabilities. It found CVE-2018-12976

It would be nice if this was fixed.

Looking in the CVE database it seems like there was a patch released to fix this, https://nvd.nist.gov/vuln/detail/CVE-2018-12976 so I expect it can be easily remedied by updating the base o/s of the container.

@M-JobPixel M-JobPixel changed the title CVE-2018-12976 found in latest docker image Critical CVE-2018-12976 found in latest docker image Sep 13, 2023
@powersj
Copy link
Contributor

powersj commented Sep 13, 2023

Hi.

It found CVE-2018-12976

As a best practice, it is preferred to disclose CVEs to a security team versus a public issue. You can check out our disclosure steps at: https://www.influxdata.com/how-to-report-security-vulnerabilities/ I'll look at adding a reference to this document into this repo as well.

I've recently downloaded the latest docker image

Which image and which version?

As this repo maintains the images for multiple products include influxdb, telelgraf, etc. it would help to narrow this down.

Thanks!

@M-JobPixel
Copy link
Author

Sorry for not following a procedure that I was unaware of. But it's not like this is exactly secret. All I did was download your :latest image from your dockerhub and uploaded it to AWS' ECR whereupon they scanned it, as they do all images, and the report found the CVE. This is a fairly common procedure and one that anyone can easily do.

The Dockerfile I used to build and push the image looks like:

FROM influxdb:latest

So that would be version 2.7.1

@powersj
Copy link
Contributor

powersj commented Sep 13, 2023

The CVE in question references github.com/golang/gddo.

This package is imported in InfluxDB in the go.mod and used by http/telegraf.go specifically github.com/golang/gddo/httputil module with one call to httputil.NegotiateContentType()

As mentioned in the security announcement it appears to only affect users running their own instance of gddo, which InfluxDB is not doing.

I will pass this on to our security team and get a response.

@M-JobPixel
Copy link
Author

Thanks for the response.

I guess it's ok to have a potential vulnerability in code which you import and never use.

I will annotate my SOC-2 compliance report with this detail.

@jdstrand
Copy link
Contributor

jdstrand commented Sep 21, 2023

I will pass this on to our security team and get a response.

Sorry for the delay. @powersj's analysis is correct. While influxdb imports github.com/golang/gddo/httputil, it is only to use httputil.NegotiateContentType which is not affected by this CVE. I'm not sure what capability your tooling has, but I recommend dismissing the alert with either 'inaccurate' or 'code not used'.

@gavin-snorkel
Copy link

Hi,
We are running into the same issue as well as our scanner is picking up the critical CVE (https://nvd.nist.gov/vuln/detail/CVE-2018-12976). Unfortunately we don't have a way to dismiss this CVE due to the fact that it's CRITICAL. It seems like it should go away by updating your gddo deps at a later build? (current one at 2018***)

Thanks and really appreciate the help.

-Gavin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants