CVEs in Cortex 1.16.0

Question

CVEs in Cortex 1.16.0

SatyKrish opened this issue 6 months ago · comments

Describe the bug
Sysdig scan is reporting HIGH and MEDIUM vulnerabilities in OpenSSL packages (libcrypto3 and libssl3)

CVE-2023-5363
CVE-2023-5678

Additional Context
As per OpenSSL vulnerabilities report, these vulnerabilities doesn’t affect SSL/TLS implementations.

‘The OpenSSL SSL/TLS implementation is not affected by the issue.’
https://openssl.org/news/vulnerabilities.html

Is Cortex affected by these CVEs?
When would these vulnerabilities be resolved?

Friedrich Gonzalez · Answer 1 · Wed Dec 20 2023 02:21:38 GMT+0800 (China Standard Time)

cortex itself does not use openssl.
The underlying image, alpine, has these libraries installed.
Which we should patch, but it's not as critical

Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information

satykrish · Answer 2 · Wed Dec 20 2023 03:51:18 GMT+0800 (China Standard Time)

cortex itself does not use openssl. The underlying image, alpine, has these libraries installed. Which we should patch, but it's not as critical

Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information

Thanks. Noted.