vulnerability warnings CVE-2022-24687, CVE-2022-23772, CVE-2022-23806, CVE-2022-24921, CVE-2022-23773

[eli-darkly]

LD has opened this issue to let everyone know that we're aware of the vulnerability reports mentioned above, and we will release a patch version of our Docker image to address these as soon as possible.

It's our policy to make any necessary dependency/platform updates for such issues no matter what, but we also look into the details to determine how much of an actual risk these represent, if any, to Relay Proxy installations that are currently running. Here is our analysis:

CVE-2022-24687: This is a misreported vulnerability due to a known issue where scanners cannot distinguish between the Consul API client (which our code uses) and the Consul server (which our code does not use). See: launchdarkly/go-server-sdk-consul#9 and hashicorp/consul#10674

CVE-2022-23772: This affects Go's math/big package, which is not used by the Relay Proxy or any of its dependencies.

CVE-2022-23806: This affects Go's crypto/elliptic package, which is not used by the Relay Proxy or any of its dependencies.

CVE-2022-23806: (marked as "undergoing reanalysis"): This affects Go's regexp package, which is used if the LaunchDarkly flag data contains any regex matching rules. The vulnerability would be exploitable if the attacker could modify the flag data.

CVE-2022-23773: This affects the go build tool in terms of how it resolves dependency versions. An already-built Relay Proxy executable does not use this tool.

[eli-darkly]

Fixed in the 6.7.4 release.