Vulnerabilities in dependencies

gihari · March 19, 2021, 9:22am

Hi,
Because of compliance requirements in our organisation, we have to verify that the third party dependencies used in Terraform don’t have vulnerabilities reported against them. Apparently, two dependencies for Terraform 0.14.8 have vulnerabilities reported:

github.com/gorilla/websocket v1.4.0 // indirect

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27813

github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089

https://nvd.nist.gov/vuln/detail/CVE-2020-28053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7955

What would be recommended approach in this situation?

Can we confirm that these reported vulnerabilities in the dependencies don’t affect Terraform?
Can we expect that in one of the next 14.* versions of Terraform, newer versions of the affected module will be used (where the vulnerabilities have been fixed)?
Or, would you rather recommend that we uptake newer versions of these 3rd party modules by building the Terraform binary by ourselves ? ( At the moment we don’t have “go” expertise in-house, so our preference is to uptake a binary version of Terraform from Hashicorp rather than building the binary).

Thanks.

jbardin · March 19, 2021, 2:08pm

Hi @gihari,

I’m not sure what is required for your case to verify the vulnerabilities, but neither of those reports are relevant to Terraform itself.

The Terraform cli does not run a webserver, and the websocket module is only a transitive dependency from the etcdv2 backend client. Terraform also does not run a consul server, and only lists that module for dependencies within the consul backend. Modules listed as dependencies may contain many packages, and few or none of those packages may be compiled in the final binary.

Perhaps it’s sufficient in your case to inspect a running terraform instance, and see that it does not accept any incoming network connections?

gihari · March 20, 2021, 6:37am

Thank you ! I think this is a reasonable explanation, viz, these vulnerabilities are only applicable if Terraform listens to incoming networking connections (which it doesn’t). Let me check if this makes our security team happy.

Topic		Replies	Views
Terraform vulnerability for version 1.5.7 & 1.7.5 Terraform hcp-terraform	4	595	July 8, 2024
HCSEC-2023-19 - Terraform Enterprise, Docker Engine, and Go’s CVE-2023-24540 Security security-terraform	1	7051	June 28, 2023
Getting Vulnerabilities with the latest version of Consul Consul consul-template , envconsul , consul-vault , consul-terraform-sync	0	409	March 25, 2022
Trivy-findining (High) Terraform	1	449	March 30, 2023
Consul-Terraform-Sync v0.3.1 Consul nia , consul-terraform-sync , release-notification	0	381	January 18, 2022

Vulnerabilities in dependencies

Related topics