Vulnerabilities in dependencies

Hi,
Because of compliance requirements in our organisation, we have to verify that the third party dependencies used in Terraform don’t have vulnerabilities reported against them. Apparently, two dependencies for Terraform 0.14.8 have vulnerabilities reported:

  1. github.com/gorilla/websocket v1.4.0 // indirect

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27813

  1. github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089

https://nvd.nist.gov/vuln/detail/CVE-2020-28053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7955

What would be recommended approach in this situation?

  • Can we confirm that these reported vulnerabilities in the dependencies don’t affect Terraform?
  • Can we expect that in one of the next 14.* versions of Terraform, newer versions of the affected module will be used (where the vulnerabilities have been fixed)?
  • Or, would you rather recommend that we uptake newer versions of these 3rd party modules by building the Terraform binary by ourselves ? ( At the moment we don’t have “go” expertise in-house, so our preference is to uptake a binary version of Terraform from Hashicorp rather than building the binary).

Thanks.

Hi @gihari,

I’m not sure what is required for your case to verify the vulnerabilities, but neither of those reports are relevant to Terraform itself.

The Terraform cli does not run a webserver, and the websocket module is only a transitive dependency from the etcdv2 backend client. Terraform also does not run a consul server, and only lists that module for dependencies within the consul backend. Modules listed as dependencies may contain many packages, and few or none of those packages may be compiled in the final binary.

Perhaps it’s sufficient in your case to inspect a running terraform instance, and see that it does not accept any incoming network connections?

1 Like

Thank you ! I think this is a reasonable explanation, viz, these vulnerabilities are only applicable if Terraform listens to incoming networking connections (which it doesn’t). Let me check if this makes our security team happy.