Address CVEs in go-lang binaries

[joancafom]

Overview of the Issue

When running a security scanner like Trivy against the latest release of Consul (which at the moment is 1.15.2), multiple CVEs and vulnerabilities are reported.

---

Reproduction Steps

1. Download the binaries (or even the source code) of the associated release:

$ curl -JLO https://releases.hashicorp.com/consul/1.15.2/consul_1.15.2_linux_amd64.zip

2. Run Trivy and obtain the report

$ trivy rootfs .
...
consul (gobinary)

Total: 7 (UNKNOWN: 1, LOW: 1, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │ Installed Version │ Fixed Version  │                           Title                            │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go  │ CVE-2020-8911       │ MEDIUM   │ v1.42.34          │                │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                            │                     │          │                   │                │ SDK for golang...                                          │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                            ├─────────────────────┼──────────┤                   ├────────────────┼────────────────────────────────────────────────────────────┤
│                            │ CVE-2020-8912       │ LOW      │                   │                │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                            │                     │          │                   │                │ SDK for golang...                                          │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/coredns/coredns │ CVE-2022-2835       │ MEDIUM   │ v1.6.6            │                │ coreDNS: DNS Redirection of Internal Services              │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-2835                  │
│                            ├─────────────────────┤          │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-2837       │          │                   │                │ coreDNS: DNS Redirection of Top-Level Domains              │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-2837                  │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net           │ CVE-2022-41723      │ HIGH     │ v0.4.0            │ 0.7.0          │ avoid quadratic complexity in HPACK decoding               │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-41723                 │
│                            ├─────────────────────┼──────────┤                   │                ├────────────────────────────────────────────────────────────┤
│                            │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN  │                   │                │ Uncontrolled Resource Consumption                          │
│                            │                     │          │                   │                │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h          │
├────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ k8s.io/client-go           │ CVE-2020-8565       │ MEDIUM   │ v0.18.2           │ 0.20.0-alpha.2 │ kubernetes: Incomplete fix for CVE-2019-11250 allows for   │
│                            │                     │          │                   │                │ token leak in logs when...                                 │
│                            │                     │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-8565                  │
└────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘

Consul info for both Client and Server

NA

Operating system and Environment details

NA

Log Fragments

NA

[loshz]

All of the above affected deps have now been updated and backported to 1.14.x and 1.15.x

Thanks for bringing this to our attention!

[hessamalipour]

@loshz @david-yu Hi, As I can see, all those CVE addressed and backport to new version. In AWS Inspector still is showing CVE-2022-2837 and showing there is no available fix. If that is expected? if yes, when will address th CVE-2022-2837?

coreDNS: DNS Redirection of Top-Level Domains
https://nvd.nist.gov/vuln/detail/CVE-2022-2837
https://bugzilla.redhat.com/show_bug.cgi?id=2118543