Address CVEs in go-lang binaries #17358
Description
Overview of the Issue
When running a security scanner like Trivy against the latest release of Consul (which at the moment is 1.15.2), multiple CVEs and vulnerabilities are reported.
Reproduction Steps
- Download the binaries (or even the source code) of the associated release:
$ curl -JLO https://releases.hashicorp.com/consul/1.15.2/consul_1.15.2_linux_amd64.zip- Run Trivy and obtain the report
$ trivy rootfs .
...
consul (gobinary)
Total: 7 (UNKNOWN: 1, LOW: 1, MEDIUM: 4, HIGH: 1, CRITICAL: 0)
┌────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM │ v1.42.34 │ │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8911 │
│ ├─────────────────────┼──────────┤ ├────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-8912 │ LOW │ │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/coredns/coredns │ CVE-2022-2835 │ MEDIUM │ v1.6.6 │ │ coreDNS: DNS Redirection of Internal Services │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2835 │
│ ├─────────────────────┤ │ ├────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2837 │ │ │ │ coreDNS: DNS Redirection of Top-Level Domains │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2837 │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723 │ HIGH │ v0.4.0 │ 0.7.0 │ avoid quadratic complexity in HPACK decoding │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├─────────────────────┼──────────┤ │ ├────────────────────────────────────────────────────────────┤
│ │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN │ │ │ Uncontrolled Resource Consumption │
│ │ │ │ │ │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ k8s.io/client-go │ CVE-2020-8565 │ MEDIUM │ v0.18.2 │ 0.20.0-alpha.2 │ kubernetes: Incomplete fix for CVE-2019-11250 allows for │
│ │ │ │ │ │ token leak in logs when... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8565 │
└────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘Consul info for both Client and Server
NA
Operating system and Environment details
NA
Log Fragments
NA