Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3049

Update the Go version used to build mongo-tools to address several critical and high CVEs

    XMLWordPrintable

Details

    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 100.5.1
    • 100.5.3
    • None
    • None

    Description

      I created an issue for this in SECURITY (see SECURITY-777) but now I think maybe I should have created it here in TOOLS. Several of our Kubernetes Operator containers rely on database-tools, and its presence is flagging several security vulnerabilities - one deemed critical and several others deemed high - caused by the version of go being used (1.16.7) and golang.org/x/crypto. The database tools version I'm seeing is mongodb-database-tools-rhel80-x86_64-100.5.1. Containers without the package do not produce the vulnerabilities. The list of CVEs is:

      CVE-2020-29652
      CVE-2022-23806
      CVE-2021-39293
      CVE-2021-29923
      CVE-2021-41771
      CVE-2021-41772
      CVE-2021-44716
      CVE-2022-23806
      CVE-2021-38297

      Attaching a spreadsheet with additional details. I need to know if these are legitimate findings and if so understand our plan/timeline/LoE to address the situation. 

       

      Attachments

        Activity

          People

            tim.fogarty@mongodb.com Tim Fogarty
            jonathan.janos@mongodb.com Jonathan Janos
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: