CVE vulnerability for Image traefik:v2.8.1 CVE-2022-2097, CVE-2022-23648 , CVE-2022-31030, CVE-2022-29153 & CVE-2022-24687

Hello Team,

Below vulnerabilities have been detected for traefik(v2.8.1) image by the vulnerability scanner.

Component: ibcrypto1.1,libssl1.1, ID: CVE-2022-2097, version: 1.1.1n-r0

Component: containerd (containerd), ID: CVE-2022-23648,CVE-2022-31030, version: v1.5.9

Component: containerd (containerd), ID: CVE-2022-29153, version: v1.10.4

Can someone please help us to fix above vulnerability? Is it applicable for traefik ingress controller or it's false-positive ?

Hello,

Take a look here: Alpine Linux: CVE-2022-2097 · Issue #27 · traefik/traefik-library-image · GitHub

We are not affected by the containerd CVE

Hi @ldez, I have a question regarding this.

There is a cybersecurity mandate coming in to hundreds of companies who are subject to US government regulations whereby we are required to patch every vulnerability shown by a scanning tool, even in cases where the software is using a vulnerable library but does not use the specific feature that is vulnerable from the library.

In the case of Traefik, if this is not patched by your team, it could lead to many many companies being forced to fork your repo to build the software with the patch included, despite the fact that Traefik is not affected. This could lead to chaos in the ecosystem.

We are hoping to discuss further about the decision and would like to collaborate with you rather than to be forced into the situation where we (and as I mentioned hundreds of other orgs) are going to have to make a fork. Can you share any plans on when this might be updated simply to appease the auditors who will be reviewing such findings?

The problem is not Traefik but security scanning tools that report false positives.
The solution is to improve security scanning tools.

The core of the problem is that security scanning tools don't share the same knowledge because those tools sell their knowledges.
The best solution is to have a shared, free and open source security database with a way to report false positives.

Also, the problem related to updating a dependency because of a false positive is the impact of transitive dependencies. For example, an update of Consul can produce an update of gRPC, but gRPC is known to break things between patch/minor versions.
Any update has side effects.

Ok, I think I understand.

So for example with the tool I'm using right now (Trivy), it scans the dependencies mentioned in the traefik binary... I guess it's go.mod and go.sum which are included in the binary. So it's looking at the package versions mentioned, and compares them against the GHSA published vulnerabilities, which is clearly a SAST scan, rather than a DAST scan.

So is there a better tool you recommend for running a DAST scan against the binary? As far as I understood, DAST has to be run on the code, not the binary, whereas SAST can check the packages versions mentioned in the binary. So maybe I've missed something there?

Thanks in advance for your insight.

Without a (global) place to report false positives, no tool that only does dependency analysis can be guaranteed without false positives.
So, currently, I don't know a better tool.

1 Like

Ok, thanks again, I greatly appreciate the additional context.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.