github.com/argoproj/argo-cd/v2@v2.10.9/docs/snyk/master/haproxy_2.6.14-alpine.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="1 known vulnerabilities found in 9 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #4b45a9; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card .label { 205 background-color: #767676; 206 border: 2px solid #767676; 207 color: white; 208 padding: 0.25rem 0.75rem; 209 font-size: 0.875rem; 210 text-transform: uppercase; 211 display: inline-block; 212 margin: 0; 213 border-radius: 0.25rem; 214 } 215 216 .card .label__text { 217 vertical-align: text-top; 218 font-weight: bold; 219 } 220 221 .card .label--critical { 222 background-color: #AB1A1A; 223 border-color: #AB1A1A; 224 } 225 226 .card .label--high { 227 background-color: #CE5019; 228 border-color: #CE5019; 229 } 230 231 .card .label--medium { 232 background-color: #D68000; 233 border-color: #D68000; 234 } 235 236 .card .label--low { 237 background-color: #88879E; 238 border-color: #88879E; 239 } 240 241 .severity--low { 242 border-color: #88879E; 243 } 244 245 .severity--medium { 246 border-color: #D68000; 247 } 248 249 .severity--high { 250 border-color: #CE5019; 251 } 252 253 .severity--critical { 254 border-color: #AB1A1A; 255 } 256 257 .card--vuln { 258 padding-top: 4em; 259 } 260 261 .card--vuln .label { 262 left: 0; 263 position: absolute; 264 top: 1.1em; 265 padding-left: 1.9em; 266 padding-right: 1.9em; 267 border-radius: 0 0.25rem 0.25rem 0; 268 } 269 270 .card--vuln .card__section h2 { 271 font-size: 22px; 272 margin-bottom: 0.5em; 273 } 274 275 .card--vuln .card__section p { 276 margin: 0 0 0.5em 0; 277 } 278 279 .card--vuln .card__meta { 280 padding: 0 0 0 1em; 281 margin: 0; 282 font-size: 1.1em; 283 } 284 285 .card .card__meta__paths { 286 font-size: 0.9em; 287 } 288 289 .card--vuln .card__title { 290 font-size: 28px; 291 margin-top: 0; 292 } 293 294 .card--vuln .card__cta p { 295 margin: 0; 296 text-align: right; 297 } 298 299 .source-panel { 300 clear: both; 301 display: flex; 302 justify-content: flex-start; 303 flex-direction: column; 304 align-items: flex-start; 305 padding: 0.5em 0; 306 width: fit-content; 307 } 308 309 310 311 </style> 312 <style type="text/css"> 313 .metatable { 314 text-size-adjust: 100%; 315 -webkit-font-smoothing: antialiased; 316 -webkit-box-direction: normal; 317 color: inherit; 318 font-feature-settings: "pnum"; 319 box-sizing: border-box; 320 background: transparent; 321 border: 0; 322 font: inherit; 323 font-size: 100%; 324 margin: 0; 325 outline: none; 326 padding: 0; 327 text-align: left; 328 text-decoration: none; 329 vertical-align: baseline; 330 z-index: auto; 331 margin-top: 12px; 332 border-collapse: collapse; 333 border-spacing: 0; 334 font-variant-numeric: tabular-nums; 335 max-width: 51.75em; 336 } 337 338 tbody { 339 text-size-adjust: 100%; 340 -webkit-font-smoothing: antialiased; 341 -webkit-box-direction: normal; 342 color: inherit; 343 font-feature-settings: "pnum"; 344 border-collapse: collapse; 345 border-spacing: 0; 346 box-sizing: border-box; 347 background: transparent; 348 border: 0; 349 font: inherit; 350 font-size: 100%; 351 margin: 0; 352 outline: none; 353 padding: 0; 354 text-align: left; 355 text-decoration: none; 356 vertical-align: baseline; 357 z-index: auto; 358 display: flex; 359 flex-wrap: wrap; 360 } 361 362 .meta-row { 363 text-size-adjust: 100%; 364 -webkit-font-smoothing: antialiased; 365 -webkit-box-direction: normal; 366 color: inherit; 367 font-feature-settings: "pnum"; 368 border-collapse: collapse; 369 border-spacing: 0; 370 box-sizing: border-box; 371 background: transparent; 372 border: 0; 373 font: inherit; 374 font-size: 100%; 375 outline: none; 376 text-align: left; 377 text-decoration: none; 378 vertical-align: baseline; 379 z-index: auto; 380 display: flex; 381 align-items: start; 382 border-top: 1px solid #d3d3d9; 383 padding: 8px 0 0 0; 384 border-bottom: none; 385 margin: 8px; 386 width: 47.75%; 387 } 388 389 .meta-row-label { 390 text-size-adjust: 100%; 391 -webkit-font-smoothing: antialiased; 392 -webkit-box-direction: normal; 393 font-feature-settings: "pnum"; 394 border-collapse: collapse; 395 border-spacing: 0; 396 color: #4c4a73; 397 box-sizing: border-box; 398 background: transparent; 399 border: 0; 400 font: inherit; 401 margin: 0; 402 outline: none; 403 text-decoration: none; 404 z-index: auto; 405 align-self: start; 406 flex: 1; 407 font-size: 1rem; 408 line-height: 1.5rem; 409 padding: 0; 410 text-align: left; 411 vertical-align: top; 412 text-transform: none; 413 letter-spacing: 0; 414 } 415 416 .meta-row-value { 417 text-size-adjust: 100%; 418 -webkit-font-smoothing: antialiased; 419 -webkit-box-direction: normal; 420 color: inherit; 421 font-feature-settings: "pnum"; 422 border-collapse: collapse; 423 border-spacing: 0; 424 word-break: break-word; 425 box-sizing: border-box; 426 background: transparent; 427 border: 0; 428 font: inherit; 429 font-size: 100%; 430 margin: 0; 431 outline: none; 432 padding: 0; 433 text-align: right; 434 text-decoration: none; 435 vertical-align: baseline; 436 z-index: auto; 437 } 438 </style> 439 </head> 440 441 <body class="section-projects"> 442 <main class="layout-stacked"> 443 <div class="layout-stacked__header header"> 444 <header class="project__header"> 445 <div class="layout-container"> 446 <a class="brand" href="https://snyk.io" title="Snyk"> 447 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 448 <title>Snyk - Open Source Security</title> 449 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 450 <g fill="#fff"> 451 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 452 </g> 453 </g> 454 </svg> 455 </a> 456 <div class="header-wrap"> 457 <h1 class="project__header__title">Snyk test report</h1> 458 459 <p class="timestamp">October 29th 2023, 12:15:02 am (UTC+00:00)</p> 460 </div> 461 <div class="source-panel"> 462 <span>Scanned the following path:</span> 463 <ul> 464 <li class="paths">haproxy:2.6.14-alpine (apk)</li> 465 </ul> 466 </div> 467 468 <div class="meta-counts"> 469 <div class="meta-count"><span>1</span> <span>known vulnerabilities</span></div> 470 <div class="meta-count"><span>9 vulnerable dependency paths</span></div> 471 <div class="meta-count"><span>18</span> <span>dependencies</span></div> 472 </div><!-- .meta-counts --> 473 </div><!-- .layout-container--short --> 474 </header><!-- .project__header --> 475 </div><!-- .layout-stacked__header --> 476 <section class="layout-container"> 477 <table class="metatable"> 478 <tbody> 479 <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|haproxy</td></tr> 480 <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">haproxy:2.6.14-alpine</td></tr> 481 <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr> 482 483 </tbody> 484 </table> 485 </section> 486 <div class="layout-container" style="padding-top: 35px;"> 487 <div class="cards--vuln filter--patch filter--ignore"> 488 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 489 <h2 class="card__title">CVE-2023-5363</h2> 490 <div class="card__section"> 491 492 <div class="label label--low"> 493 <span class="label__text">low severity</span> 494 </div> 495 496 <hr/> 497 498 <ul class="card__meta"> 499 <li class="card__meta__item"> 500 Package Manager: alpine:3.18 501 </li> 502 <li class="card__meta__item"> 503 Vulnerable module: 504 505 openssl/libcrypto3 506 </li> 507 508 <li class="card__meta__item">Introduced through: 509 510 docker-image|haproxy@2.6.14-alpine and openssl/libcrypto3@3.1.2-r0 511 512 </li> 513 </ul> 514 515 <hr/> 516 517 518 <h3 class="card__section__title">Detailed paths</h3> 519 520 <ul class="card__meta__paths"> 521 <li> 522 <span class="list-paths__item__introduced"><em>Introduced through</em>: 523 docker-image|haproxy@2.6.14-alpine 524 <span class="list-paths__item__arrow">›</span> 525 openssl/libcrypto3@3.1.2-r0 526 527 </span> 528 529 </li> 530 <li> 531 <span class="list-paths__item__introduced"><em>Introduced through</em>: 532 docker-image|haproxy@2.6.14-alpine 533 <span class="list-paths__item__arrow">›</span> 534 .haproxy-rundeps@20230809.001942 535 <span class="list-paths__item__arrow">›</span> 536 openssl/libcrypto3@3.1.2-r0 537 538 </span> 539 540 </li> 541 <li> 542 <span class="list-paths__item__introduced"><em>Introduced through</em>: 543 docker-image|haproxy@2.6.14-alpine 544 <span class="list-paths__item__arrow">›</span> 545 apk-tools/apk-tools@2.14.0-r2 546 <span class="list-paths__item__arrow">›</span> 547 openssl/libcrypto3@3.1.2-r0 548 549 </span> 550 551 </li> 552 <li> 553 <span class="list-paths__item__introduced"><em>Introduced through</em>: 554 docker-image|haproxy@2.6.14-alpine 555 <span class="list-paths__item__arrow">›</span> 556 busybox/ssl_client@1.36.1-r2 557 <span class="list-paths__item__arrow">›</span> 558 openssl/libcrypto3@3.1.2-r0 559 560 </span> 561 562 </li> 563 <li> 564 <span class="list-paths__item__introduced"><em>Introduced through</em>: 565 docker-image|haproxy@2.6.14-alpine 566 <span class="list-paths__item__arrow">›</span> 567 .haproxy-rundeps@20230809.001942 568 <span class="list-paths__item__arrow">›</span> 569 openssl/libssl3@3.1.2-r0 570 <span class="list-paths__item__arrow">›</span> 571 openssl/libcrypto3@3.1.2-r0 572 573 </span> 574 575 </li> 576 <li> 577 <span class="list-paths__item__introduced"><em>Introduced through</em>: 578 docker-image|haproxy@2.6.14-alpine 579 <span class="list-paths__item__arrow">›</span> 580 openssl/libssl3@3.1.2-r0 581 582 </span> 583 584 </li> 585 <li> 586 <span class="list-paths__item__introduced"><em>Introduced through</em>: 587 docker-image|haproxy@2.6.14-alpine 588 <span class="list-paths__item__arrow">›</span> 589 .haproxy-rundeps@20230809.001942 590 <span class="list-paths__item__arrow">›</span> 591 openssl/libssl3@3.1.2-r0 592 593 </span> 594 595 </li> 596 <li> 597 <span class="list-paths__item__introduced"><em>Introduced through</em>: 598 docker-image|haproxy@2.6.14-alpine 599 <span class="list-paths__item__arrow">›</span> 600 apk-tools/apk-tools@2.14.0-r2 601 <span class="list-paths__item__arrow">›</span> 602 openssl/libssl3@3.1.2-r0 603 604 </span> 605 606 </li> 607 <li> 608 <span class="list-paths__item__introduced"><em>Introduced through</em>: 609 docker-image|haproxy@2.6.14-alpine 610 <span class="list-paths__item__arrow">›</span> 611 busybox/ssl_client@1.36.1-r2 612 <span class="list-paths__item__arrow">›</span> 613 openssl/libssl3@3.1.2-r0 614 615 </span> 616 617 </li> 618 </ul><!-- .list-paths --> 619 620 </div><!-- .card__section --> 621 622 <hr/> 623 <!-- Overview --> 624 <h2 id="nvd-description">NVD Description</h2> 625 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 626 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 627 <p>Issue summary: A bug has been identified in the processing of key and 628 initialisation vector (IV) lengths. This can lead to potential truncation 629 or overruns during the initialisation of some symmetric ciphers.</p> 630 <p>Impact summary: A truncation in the IV can result in non-uniqueness, 631 which could result in loss of confidentiality for some cipher modes.</p> 632 <p>When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or 633 EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after 634 the key and IV have been established. Any alterations to the key length, 635 via the "keylen" parameter or the IV length, via the "ivlen" parameter, 636 within the OSSL_PARAM array will not take effect as intended, potentially 637 causing truncation or overreading of these values. The following ciphers 638 and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.</p> 639 <p>For the CCM, GCM and OCB cipher modes, truncation of the IV can result in 640 loss of confidentiality. For example, when following NIST's SP 800-38D 641 section 8.2.1 guidance for constructing a deterministic IV for AES in 642 GCM mode, truncation of the counter portion could lead to IV reuse.</p> 643 <p>Both truncations and overruns of the key and overruns of the IV will 644 produce incorrect results and could, in some cases, trigger a memory 645 exception. However, these issues are not currently assessed as security 646 critical.</p> 647 <p>Changing the key and/or IV lengths is not considered to be a common operation 648 and the vulnerable API was recently introduced. Furthermore it is likely that 649 application developers will have spotted this problem during testing since 650 decryption would fail unless both peers in the communication were similarly 651 vulnerable. For these reasons we expect the probability of an application being 652 vulnerable to this to be quite low. However if an application is vulnerable then 653 this issue is considered very serious. For these reasons we have assessed this 654 issue as Moderate severity overall.</p> 655 <p>The OpenSSL SSL/TLS implementation is not affected by this issue.</p> 656 <p>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because 657 the issue lies outside of the FIPS provider boundary.</p> 658 <p>OpenSSL 3.1 and 3.0 are vulnerable to this issue.</p> 659 <h2 id="remediation">Remediation</h2> 660 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.4-r0 or higher.</p> 661 <h2 id="references">References</h2> 662 <ul> 663 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/24/1">openssl-security@openssl.org</a></li> 664 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d">openssl-security@openssl.org</a></li> 665 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee">openssl-security@openssl.org</a></li> 666 <li><a href="https://www.debian.org/security/2023/dsa-5532">openssl-security@openssl.org</a></li> 667 <li><a href="https://www.openssl.org/news/secadv/20231024.txt">openssl-security@openssl.org</a></li> 668 <li><a href="https://security.netapp.com/advisory/ntap-20231027-0010/">openssl-security@openssl.org</a></li> 669 </ul> 670 671 <hr/> 672 673 <div class="cta card__cta"> 674 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-6032386">More about this vulnerability</a></p> 675 </div> 676 677 </div><!-- .card --> 678 </div><!-- cards --> 679 </div> 680 </main><!-- .layout-stacked__content --> 681 </body> 682 683 </html>