Vulnerability in Traefik Image

Question

Vulnerability in Traefik Image

aravinthkarur opened this issue a year ago · comments

Hi All,

we are using latest version of traefik image from docker but reported below vulnerability in our security scan. Can you please let us know which version to use to fix this vulnerabilities or is there any other way to fix? Please do the needful.

GHSA-qq97-vm5h-rrhg
GHSA-crp2-qrr5-8pq7
GHSA-q6h7-4qgw-2j9p
GHSA-m69r-9g56-7mv8
GHSA-2qjp-425j-52j9
GHSA-hj93-5fg3-3chr
GHSA-5ffw-gxpp-mxpf

Ludovic Fernandez · Answer 1 · Thu Feb 09 2023 17:05:00 GMT+0800 (China Standard Time)

Hi,

we are not affected by those CVEs because they affect pieces of code that we don't use.
For example, the Consul CVE is about the Consul server but we are only using the client.

aravinthkarur · Answer 2 · Thu Feb 16 2023 18:26:29 GMT+0800 (China Standard Time)

Please check the below comment from Microsoft and help us to fix the vulnerability.

For this hash/image we saw that the scanner did find the affected software, despite the comments from the GitHub thread. I’m presenting a summary, down below, with the version of the image and the version needed to fix the vulnerability per package.

Ludovic Fernandez · Answer 3 · Thu Feb 16 2023 18:28:57 GMT+0800 (China Standard Time)

Hello,

we are not affected by those CVEs because they affect pieces of code that we don't use.
For example, the Consul CVE is about the Consul server but we are only using the client.

Also, the problem related to updating a dependency because of a false positive is the impact of transitive dependencies. For example, an update of Consul can produce an update of gRPC, but gRPC is known to break things between patch/minor versions.
Any update has side effects.

We are not the only ones that complain about false positives related to vulnerability scanning tools:

The real solution is to improve vulnerability scanning tools.

The core of the problem is that vulnerability scanning tools don't share the same knowledge.
The best solution is to have a shared, free, and open-source security database with a way to report false positives.
Without a global place to report false positives, no tool that only does dependency analysis can be guaranteed without false positives.

Please be sure that we analyze all the CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.

aravinthkarur · Answer 4 · Fri Feb 17 2023 13:31:00 GMT+0800 (China Standard Time)

Hi,
Yesterday i observed that traefik latest version was updated a day ago and downloaded and scanned the image. Out of 7 affected CVE's, 6 are remediated. one is pending CVE-2022-40716. If it is false positive vulnerability how the 6 CVE's are fixed in the latest update.

Ludovic Fernandez · Answer 5 · Fri Feb 17 2023 15:58:37 GMT+0800 (China Standard Time)

If it is false positive vulnerability how the 6 CVE's are fixed in the latest update.

There is no correlation between the update of some dependencies and the status of these vulnerabilities.