cortex icon indicating copy to clipboard operation
cortex copied to clipboard
verified publisher icon cortexproject

CVEs in Cortex 1.16.0

Open SatyKrish opened this issue 2 years ago • 2 comments

Describe the bug Sysdig scan is reporting HIGH and MEDIUM vulnerabilities in OpenSSL packages (libcrypto3 and libssl3)

CVE-2023-5363 CVE-2023-5678

Additional Context As per OpenSSL vulnerabilities report, these vulnerabilities doesn’t affect SSL/TLS implementations.

‘The OpenSSL SSL/TLS implementation is not affected by the issue.’ https://openssl.org/news/vulnerabilities.html

  • Is Cortex affected by these CVEs?

  • When would these vulnerabilities be resolved?

SatyKrish avatar Dec 18 '23 20:12 SatyKrish

cortex itself does not use openssl. The underlying image, alpine, has these libraries installed. Which we should patch, but it's not as critical

Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information

friedrichg avatar Dec 19 '23 18:12 friedrichg

cortex itself does not use openssl. The underlying image, alpine, has these libraries installed. Which we should patch, but it's not as critical

Then again this is not the correct way to report a vulnerability. If you wish to report a vulnerability, the procedure is outlined on https://github.com/cortexproject/cortex/blob/master/SECURITY.md#cortex-security-and-disclosure-information

Thanks. Noted.

SatyKrish avatar Dec 19 '23 19:12 SatyKrish