CVEs in Cortex 1.16.0
SatyKrish opened this issue · comments
Describe the bug
Sysdig scan is reporting HIGH and MEDIUM vulnerabilities in OpenSSL packages (libcrypto3 and libssl3)
Additional Context
As per OpenSSL vulnerabilities report, these vulnerabilities doesn’t affect SSL/TLS implementations.
‘The OpenSSL SSL/TLS implementation is not affected by the issue.’
https://openssl.org/news/vulnerabilities.html
-
Is Cortex affected by these CVEs?
-
When would these vulnerabilities be resolved?
cortex itself does not use openssl.
The underlying image, alpine, has these libraries installed.
Which we should patch, but it's not as critical
Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information
cortex itself does not use openssl. The underlying image, alpine, has these libraries installed. Which we should patch, but it's not as critical
Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information
Thanks. Noted.