Critical CVE-2018-12976 found in latest docker image

[M-JobPixel]

I've recently downloaded the latest docker image and uploaded it to AWS' ECR which scans it for vulnerabilities. It found CVE-2018-12976

It would be nice if this was fixed.

Looking in the CVE database it seems like there was a patch released to fix this, https://nvd.nist.gov/vuln/detail/CVE-2018-12976 so I expect it can be easily remedied by updating the base o/s of the container.

[powersj]

Hi.

It found CVE-2018-12976

As a best practice, it is preferred to disclose CVEs to a security team versus a public issue. You can check out our disclosure steps at: https://www.influxdata.com/how-to-report-security-vulnerabilities/ I'll look at adding a reference to this document into this repo as well.

I've recently downloaded the latest docker image

Which image and which version?

As this repo maintains the images for multiple products include influxdb, telelgraf, etc. it would help to narrow this down.

Thanks!

[M-JobPixel]

Sorry for not following a procedure that I was unaware of. But it's not like this is exactly secret. All I did was download your :latest image from your dockerhub and uploaded it to AWS' ECR whereupon they scanned it, as they do all images, and the report found the CVE. This is a fairly common procedure and one that anyone can easily do.

The Dockerfile I used to build and push the image looks like:

FROM influxdb:latest

So that would be version 2.7.1

[powersj]

The CVE in question references github.com/golang/gddo.

This package is imported in InfluxDB in the go.mod and used by http/telegraf.go specifically github.com/golang/gddo/httputil module with one call to httputil.NegotiateContentType()

As mentioned in the security announcement it appears to only affect users running their own instance of gddo, which InfluxDB is not doing.

I will pass this on to our security team and get a response.

[M-JobPixel]

Thanks for the response.

I guess it's ok to have a potential vulnerability in code which you import and never use.

I will annotate my SOC-2 compliance report with this detail.

[jdstrand]

I will pass this on to our security team and get a response.

Sorry for the delay. @powersj's analysis is correct. While influxdb imports github.com/golang/gddo/httputil, it is only to use httputil.NegotiateContentType which is not affected by this CVE. I'm not sure what capability your tooling has, but I recommend dismissing the alert with either 'inaccurate' or 'code not used'.

[gavin-snorkel]

Hi,
We are running into the same issue as well as our scanner is picking up the critical CVE (https://nvd.nist.gov/vuln/detail/CVE-2018-12976). Unfortunately we don't have a way to dismiss this CVE due to the fact that it's CRITICAL. It seems like it should go away by updating your gddo deps at a later build? (current one at 2018***)

Thanks and really appreciate the help.

-Gavin