UNCLASSIFIED - NO CUI

Skip to content

chore(findings): hashicorp/consul-enterprise

Summary

hashicorp/consul-enterprise has 70 new findings discovered during continuous monitoring.

id source severity package
CVE-2023-1667 Anchore CVE Medium libssh-config-0.9.6-3.el8
CVE-2023-27043 Anchore CVE Medium python3-libs-3.6.8-48.el8_7.1
CVE-2023-34969 Anchore CVE Medium dbus-daemon-1:1.12.8-23.el8_7.1
GHSA-cg3q-j54f-5p7p Anchore CVE High github.com/prometheus/client_golang-v1.4.0
CVE-2023-2283 Anchore CVE Medium libssh-config-0.9.6-3.el8
CVE-2023-32681 Anchore CVE Medium python3-requests-2.20.0-2.1.el8_1
CVE-2023-2283 Anchore CVE Medium libssh-0.9.6-3.el8
CVE-2023-2953 Anchore CVE Low openldap-2.4.46-18.el8
CVE-2023-27043 Anchore CVE Medium platform-python-3.6.8-48.el8_7.1
CVE-2023-28321 Anchore CVE Medium libcurl-7.61.1-25.el8_7.3
CVE-2023-34969 Anchore CVE Medium dbus-common-1:1.12.8-23.el8_7.1
CVE-2023-2603 Anchore CVE Medium libcap-2.48-4.el8
CVE-2023-30571 Anchore CVE Medium libarchive-3.3.3-4.el8
CVE-2023-34969 Anchore CVE Medium dbus-tools-1:1.12.8-23.el8_7.1
CVE-2023-28321 Anchore CVE Medium curl-7.61.1-25.el8_7.3
CVE-2023-2602 Anchore CVE Low libcap-2.48-4.el8
GHSA-8cfg-vx93-jvxw Anchore CVE Medium k8s.io/client-go-v0.18.2
CVE-2023-34969 Anchore CVE Medium dbus-1:1.12.8-23.el8_7.1
GHSA-ch7v-37xg-75ph Anchore CVE Medium github.com/coredns/coredns-v1.1.2
GHSA-h828-v5pv-33qx Anchore CVE Medium github.com/coredns/coredns-v1.1.2
CVE-2023-34969 Anchore CVE Medium dbus-libs-1:1.12.8-23.el8_7.1
CVE-2023-1667 Anchore CVE Medium libssh-0.9.6-3.el8
CVE-2023-36632 Anchore CVE Medium platform-python-3.6.8-48.el8_7.1
CVE-2023-36191 Anchore CVE Low sqlite-libs-3.26.0-17.el8_7
CVE-2023-36632 Anchore CVE Medium python3-libs-3.6.8-48.el8_7.1
CVE-2023-29405 Twistlock CVE Critical go-1.20.4
CVE-2023-29404 Twistlock CVE Critical go-1.20.4
CVE-2023-29402 Twistlock CVE Critical go-1.20.4
CVE-2023-29403 Twistlock CVE High go-1.20.4
CVE-2022-21698 Twistlock CVE High github.com/prometheus/client_golang-v1.4.0
CVE-2023-30630 Twistlock CVE Medium dmidecode-3.3-4.el8
CVE-2023-29491 Twistlock CVE Medium ncurses-base-6.1-9.20180224.el8
CVE-2023-29491 Twistlock CVE Medium ncurses-libs-6.1-9.20180224.el8
PRISMA-2023-0056 Twistlock CVE Medium github.com/sirupsen/logrus-v1.4.2
CVE-2023-34969 Twistlock CVE Medium dbus-libs-1.12.8-23.el8_7.1
CVE-2023-34969 Twistlock CVE Medium dbus-tools-1.12.8-23.el8_7.1
CVE-2023-34969 Twistlock CVE Medium dbus-daemon-1.12.8-23.el8_7.1
CVE-2023-34969 Twistlock CVE Medium dbus-common-1.12.8-23.el8_7.1
CVE-2023-34969 Twistlock CVE Medium dbus-1.12.8-23.el8_7.1
CVE-2020-24736 Twistlock CVE Medium sqlite-libs-3.26.0-17.el8_7
CVE-2023-28321 Twistlock CVE Medium curl-7.61.1-25.el8_7.3
CVE-2023-28321 Twistlock CVE Medium libcurl-7.61.1-25.el8_7.3
CVE-2023-29383 Twistlock CVE Medium libuuid-2.32.1-39.el8_7
CVE-2023-29383 Twistlock CVE Medium libfdisk-2.32.1-39.el8_7
CVE-2023-29383 Twistlock CVE Medium libsmartcols-2.32.1-39.el8_7
CVE-2023-29383 Twistlock CVE Medium libblkid-2.32.1-39.el8_7
CVE-2023-29383 Twistlock CVE Medium libmount-2.32.1-39.el8_7
CVE-2023-29383 Twistlock CVE Medium util-linux-2.32.1-39.el8_7
CVE-2023-30571 Twistlock CVE Medium libarchive-3.3.3-4.el8
CVE-2023-27043 Twistlock CVE Medium platform-python-3.6.8-48.el8_7.1
CVE-2023-27043 Twistlock CVE Medium python3-libs-3.6.8-48.el8_7.1
CVE-2023-2283 Twistlock CVE Medium libssh-config-0.9.6-3.el8
CVE-2023-2283 Twistlock CVE Medium libssh-0.9.6-3.el8
CVE-2023-2603 Twistlock CVE Medium libcap-2.48-4.el8
CVE-2023-1667 Twistlock CVE Medium libssh-0.9.6-3.el8
CVE-2023-1667 Twistlock CVE Medium libssh-config-0.9.6-3.el8
CVE-2022-2837 Twistlock CVE Medium github.com/coredns/coredns-v1.1.2
CVE-2022-2835 Twistlock CVE Medium github.com/coredns/coredns-v1.1.2
CVE-2020-8565 Twistlock CVE Medium k8s.io/client-go-v0.18.2
CVE-2023-2222 Twistlock CVE Medium gdb-gdbserver-8.2-19.el8
CVE-2023-2953 Twistlock CVE Low openldap-2.4.46-18.el8
CVE-2023-2650 Twistlock CVE Low openssl-1.1.1k-9.el8_7
CVE-2023-2650 Twistlock CVE Low openssl-libs-1.1.1k-9.el8_7
CVE-2023-32665 Twistlock CVE Low glib2-2.56.4-159.el8
CVE-2023-32611 Twistlock CVE Low glib2-2.56.4-159.el8
CVE-2023-29499 Twistlock CVE Low glib2-2.56.4-159.el8
CVE-2023-32636 Twistlock CVE Low glib2-2.56.4-159.el8
CVE-2023-2602 Twistlock CVE Low libcap-2.48-4.el8
CVE-2023-36191 Twistlock CVE Low sqlite-libs-3.26.0-17.el8_7
CVE-2023-32731 Twistlock CVE High google.golang.org/grpc-v1.37.1

VAT: https://vat.dso.mil/vat/image?imageName=hashicorp/consul-enterprise&tag=1.13.9&branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/hashicorp/consul-enterprise/1.13/-/jobs/15425598

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the ~"Hardening::Approval" label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications
  • Send approval request to Authorizing Official
  • Close issue after approval from Authorizing Official

Note: If the above approval process is rejected for any reason, the Approval label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Approval label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Ghost User
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI