ubuntu-docker-images team mailing list archive

[Emilia Torino <emilia.torino@xxxxxxxxxxxxx>]

Hey Athos,

On 29/7/21 18:13, Athos Ribeiro wrote:
> On Thu, Jul 29, 2021 at 11:57:30AM -0300, Emilia Torino wrote:
>> Hey Sergio,
>>
>> On 29/7/21 11:45, Sergio Durigan Junior wrote:
>>> On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>>>
>>>> New CVEs affecting packages used to build upstream based rocks have
>>>> been
>>>> created in the Ubuntu CVE tracker:
>>>>
>>>> * https://github.com/prometheus/prometheus:
>>>> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
>>>> * https://github.com/gogo/protobuf:
>>>>
>>>> Please review your rock to understand if it is affected by these CVEs.
>>>>
>>>> Thank you for your rock and for attending to this matter.
>>>>
>>>> References:
>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
>>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213
>>>
>>> Hi Emi,
>>>
>>> I found the message above a bit confusing.  There are three components
>>> listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
>>> only one (hashicorp/consul) has CVEs listed for it.  Do the other two
>>> components also have CVEs opened against them?
>>
>> You are correct, this msg is confusing. Only CVEs affecting consul have
>> been created this time.
> 
> Hi Emilia,
> 
> Would it be possible for the Go related CVE alerts to be reported in a
> package level instead of in a module level?
> 
> e.g., CVE-2021-36213: github.com/hashicorp/consul/agent/xds,
> github.com/hashicorp/consul/agent, ...

The current implementation only monitors 3 git trees which were/are
present in upstream based rocks. You can find further details about it
here:
https://docs.google.com/document/d/1HL_9FeXCWKLSGW3cG8UeyexJqSw17LAM6a1r9IHomYI/edit#.
The current consul git tree was obtained from
https://pastebin.canonical.com/p/GMhwVwh8bK/ (it is also mentioned in
the shared doc).

> 
> This would make it easier to determine whether one of our ROCKs is
> affected by the vulnerability and aid on taking decisions on
> how to act on them.

The sec team has an extensive history on triaging, monitoring, patching
etc CVEs affecting Ubuntu packages, but not other "package" types.
Actually we were already aware of the fact that this implementation is
very basic, but as per spec we committed to only monitor a set of git
trees, not everything in github, since we are still working on setting
all processes and tools needed for such task. For sure we can work
together on making this service most useful for your team. We can
probably add this to the next cycle.

> 
> Moreover, am I correct if I suppose the tooling generating this alerts
> know which ROCKs are possibly affected by the CVE? If sou, would it be
> possible to also include that information here?

We have 2 different services implemented:

- one is the USNs notification service, which notifies about security
updates affecting ubuntu-based rocks. We get each rock from docker hub,
and compare the packages in their dpkg.query files against the USN
database. You might have seen the emails describing the specific rock
and packages affected. The list of rocks we are monitoring is: redis,
nginx, apache2, memcached, mysql and postgres.

- the other service is the CVEs notification service, which should serve
the purposes of notifying about upstream-based rocks: cortex and
telegraf. Due to the reasons explained above, we did not commit to do
the extensive vulnerabilities triage as we did for ubuntu based ones. So
it is a best effort to notify about a CVE being created in our tracker,
which could affect any of those. If it helps I can change the email
subject from: "CVEs potentially affecting upstream based ROCKs" to "CVEs
potentially affecting cortex and telegraf". That is a very simple change
I can quickly add.

To confirm if the 3 git trees were present in both upstream based rocks
we were considering, I locally got them (docker pull ubuntu/cortex &&
docker image save etc, same for telegraf) and in both cases I see the
upstream manifest empty. Is that correct?

> 
> Finally, I did check that prometheus, telegraph, prometheus-alertmanager
> and cortex should be the candidates to be afected here. So far,
> prometheus and telegraph only use github.com/hashicorp/consul/api and
> should not be afected.>
>>
>> Is there any reason why
>>> they're being listed in the message?

We also agree prometheus, prometheus-alertmanager and grafana were out
of this initial services, as were based on snaps. Is that still correct?

>>
>> This is a bug in our service. Since these are the 3 upstream
>> repositories we are monitoring, the template msg is incorrectly adding
>> the 3 when in this case, it should only list consul. I will add this bug
>> to our queue to fix it asap.
>>
>>>
>>> Thanks!
>>
>> Thank you!
>>
>>>
>>
>> -- 
>> Mailing list: https://launchpad.net/~ubuntu-docker-images
>> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
>> More help   : https://help.launchpad.net/ListHelp
>