Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3049

Update the Go version used to build mongo-tools to address several critical and high CVEs

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 100.5.3
    • Affects Version/s: 100.5.1
    • Component/s: None
    • None

      I created an issue for this in SECURITY (see SECURITY-777) but now I think maybe I should have created it here in TOOLS. Several of our Kubernetes Operator containers rely on database-tools, and its presence is flagging several security vulnerabilities - one deemed critical and several others deemed high - caused by the version of go being used (1.16.7) and golang.org/x/crypto. The database tools version I'm seeing is mongodb-database-tools-rhel80-x86_64-100.5.1. Containers without the package do not produce the vulnerabilities. The list of CVEs is:

      CVE-2020-29652
      CVE-2022-23806
      CVE-2021-39293
      CVE-2021-29923
      CVE-2021-41771
      CVE-2021-41772
      CVE-2021-44716
      CVE-2022-23806
      CVE-2021-38297

      Attaching a spreadsheet with additional details. I need to know if these are legitimate findings and if so understand our plan/timeline/LoE to address the situation. 

       

        1. goCVEs-Tools.xlsx
          11 kB
          Jonathan Janos

            Assignee:
            tim.fogarty@mongodb.com Tim Fogarty
            Reporter:
            jonathan.janos@mongodb.com Jonathan Janos
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: