Bulletin ID: HCSEC-2023-19
Affected Products / Versions: Terraform Enterprise up to v202303-1.
Publication Date: June 28, 2023
Summary
Up until June 2023, Docker Engine 20.10 was the highest release officially supported by Terraform Enterprise (TFE). However, that version is no longer supported by Docker and was built using a version of Go that has since had a number of CVEs disclosed.
While these CVEs are unlikely to be exposed in TFE context, the TFE team has validated support for newer releases of Docker Engine on v202303 and later, and has updated documentation to reflect this change.
An July 19, 2023 change to the TFE installer (install.sh) will make Docker Engine 24.0 the default Docker version. This may be a breaking change for some customers, as it will alter the steps required for successful installation of TFE v202302-1 and earlier.
In order to reduce security risk and stay current with TFE development, customers should consider running TFE v202303-1 or newer, and Docker Engine 24.0.
Background
Terraform Enterprise (TFE) requires that Docker Engine be available for successful installation and operation. Docker Engine is built using the Go language and libraries.
For more information about architecture, installation, and operation, please see the TFE documentation.
Details
On May 2, 2023, the Golang team announced a new Go release that included a fix for CVE-2023-24540 (a Javascript sanitization issue in Go’s html/template package).
The Golang team, per policy, did not score the issue in their disclosure. Many products or tools that have been built using older Go releases are very likely not vulnerable to this issue.
However, a 9.8 / critical CVSS score was assigned in the NIST NVD. This score will likely be adopted and reported by vulnerability scanners, including those used by TFE customers, without reflecting the nuance described above.
Various Docker products and tools are built using Go, including Docker Engine that is used by TFE. However, this does not mean they are vulnerable to CVE-2023-24540. A simple search of the moby GitHub organization shows very little usage of the html/template package. A similar search of the docker GitHub organization also shows very little usage of the html/template package.
Docker and the underlying Moby project have both adopted the newer Go version. However, the Docker team stated that they would not be packaging the 20.10.25 release for distribution. This essentially puts the 20.10 branch into an unsupported state, unless packaging is taken on by another party.
Per analysis, this CVE is unlikely to be exposed in Docker or in Terraform Enterprise, particularly when following recommendations for secure TFE operation. However, TFE has validated v202303-1 support for newer releases of Docker Engine on v202303 and later, and has updated documentation to reflect this support change.
Remediation
TFE customers should evaluate the risk associated with this issue. In order to reduce security risk and stay current with TFE development, they should consider running TFE v202303-1 or newer, and Docker Engine 24.0.
An July 19, 2023 change to the TFE installer (install.sh) will make Docker Engine 24.0 the default Docker version. This may be a breaking change for some customers, as it will alter the steps required for successful installation of TFE v202302-1 and earlier.
Customers who choose to continue using an older version of TFE and Docker Engine 20.10 will need to manually install Docker Engine before running the TFE installer (install.sh), or override the Docker version using the installer’s docker-version flag (eg. ./install.sh docker-version=20.10.8).
Customers should engage their HashiCorp support channels for additional guidance if needed.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.