Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Dependency update request for docker - CVE-2024-41110 #1080

Open
casey-robertson-paypal opened this issue Aug 7, 2024 · 3 comments · Fixed by #1078
Open

Bug: Dependency update request for docker - CVE-2024-41110 #1080

casey-robertson-paypal opened this issue Aug 7, 2024 · 3 comments · Fixed by #1078

Comments

@casey-robertson-paypal
Copy link

casey-robertson-paypal commented Aug 7, 2024
edited
Loading

Describe the bug

Not a bug per-se but a package dependency update request. Our AWS vuln scanning (Wiz.io) is picking up signatures for this CVE from file system builds and package dependencies in our Go apps. Gnomock is using the Docker package to spin up containers I presume and is using a vulnerable version to do so.

gnomock is currently depending on github.com/docker/[email protected]:

gnomock/go.mod

Line 11 in b57afd8

github.com/docker/docker v26.1.3+incompatible

Example from our scan tool (app names redacted)

The library github.com/docker/docker version 24.0.5+incompatible was detected in Golang go.mod located at /[Partition=370c33d0]/volumes/buildx_buildkit_builder-ce7c9c28-1446-41b0-9d2f-9e79efe2737e0_state/_data/runc-overlayfs/snapshots/snapshots/23/fs/go/pkg/mod/github.com/xxxxx/[email protected]/go.mod on line 56 and is vulnerable to CVE-2024-41110, which exists in versions >= 24.0.0, < 25.0.6.

This coming in via indirect dependencies. Several of our apps directly leverage the gnomock package or reference a util package of ours that uses it. I have seen both 0.30.0 and 0.31.0 being used in our environment.

The version that fixes the issue is 27.1.1: moby/moby#48223

To Reproduce
Run a vuln scan tool for this CVE on a container of codebase with a dependency on github.com/docker/[email protected] for example.

Expected behavior
Clean vuln scans

Additional context
Add any other context about the problem here.

If you read through the vulnerability and the attack vector - the real world risk is quite low. We have confirmed we not running the authz plugin anywhere and it's no on by default. But security programs being what they are, the scanning tools and security engineers won't rest until these scans go green :-)
@orlangure orlangure linked a pull request Aug 8, 2024 that will close this issue
Bump github.com/docker/docker from 26.1.3+incompatible to 27.1.1+incompatible #1078
Merged
@orlangure
Copy link
Owner

Thanks for the report, I merged #1078 and this is now fixed.
Can you use latest until I prepare a new release?

@casey-robertson-paypal
Copy link
Author

Thanks for the report, I merged #1078 and this is now fixed. Can you use latest until I prepare a new release?

Thank you! I've put the message out to our teams re: latest

@casey-robertson-paypal
Copy link
Author

I'm not sure how the cleaner tool/cmd is used but it also has an older docker dependency:

gnomock/cmd/cleaner/go.mod

Line 11 in a834aaf

github.com/docker/docker v24.0.9+incompatible // indirect

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump github.com/docker/docker from 26.1.3+incompatible to 27.1.1+incompatible orlangure/gnomock
2 participants
@orlangure @casey-robertson-paypal