[TOOLS-3049] Update the Go version used to build mongo-tools to address several critical and high CVEs - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 100.5.1
Fix Version/s: 100.5.3
Component/s: None
Labels:
None

Description

I created an issue for this in SECURITY (see SECURITY-777) but now I think maybe I should have created it here in TOOLS. Several of our Kubernetes Operator containers rely on database-tools, and its presence is flagging several security vulnerabilities - one deemed critical and several others deemed high - caused by the version of go being used (1.16.7) and golang.org/x/crypto. The database tools version I'm seeing is mongodb-database-tools-rhel80-x86_64-100.5.1. Containers without the package do not produce the vulnerabilities. The list of CVEs is:

CVE-2020-29652
CVE-2022-23806
CVE-2021-39293
CVE-2021-29923
CVE-2021-41771
CVE-2021-41772
CVE-2021-44716
CVE-2022-23806
CVE-2021-38297

Attaching a spreadsheet with additional details. I need to know if these are legitimate findings and if so understand our plan/timeline/LoE to address the situation.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

goCVEs-Tools.xlsx
11 kB
Feb 22 2022 11:42:25 PM UTC

Issue Links

links to

Pull Request (mongodb/mongo-tools master)

Activity

People

Assignee:: Tim Fogarty

Reporter:: Jonathan Janos

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Feb 22 2022 11:45:07 PM UTC

Updated:: Jun 10 2022 04:50:27 PM UTC

Resolved:: Jun 02 2022 04:33:30 PM UTC