Questions about Vault 1.9.0 Docker Image Vulnerabilities

dhongyt · February 1, 2022, 7:09pm

Hello,

I have been running Anchore security scans against Vault 1.9.0 and 1.9.2 Docker images and have identified a couple of vulnerabilities.

github.com/hashicorp/nomad/api
CVE-2020-7956
CVE-2020-7218
CVE-2021-3283
CVE-2021-37218

CVE-2019-20933

google.golang.org/protobuf
CVE-2015-5237

Based off the report, could any of these findings be mitigated, resolved, or plans to be fix in the next version of Vault?

Thank you for your time.

mickael · March 7, 2022, 7:13pm

Hello, @dhongyt , thanks for your message.

Per our security policy, security@hashicorp.com is the preferred communication method for future vulnerability reports.

We take a risk-based approach to adopting dependency updates including security fixes as part of our ongoing product development lifecycle. You’ll generally see these addressed in future releases.

github.com/hashicorp/nomad/api: The vulnerabilities listed affect the Nomad service, and not the client API. The use of the Nomad API client in Vault does not introduce further risk to Vault.
github.com/influxdata/influxdb (CVE-2019-20933): The vulnerability affects the server component, whereas Vault uses the influxDB client when enabled by an operator. The library has been updated in Update influxdb client by tsaarni · Pull Request #12262 · hashicorp/vault · GitHub and will be released in Vault 1.10 (to be released in the coming days).
google.golang.org/protobuf This is a transitive dependency introduced via etcd, and used for tests only.