forked from cyberark/conjur
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.trivyignore
65 lines (61 loc) · 3.21 KB
/
.trivyignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# NULL pointer deref. OpenSSL 1.0.2 is not impacted
CVE-2021-3449
# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur
# has been updated to 13.0.1. Some of the Conjur dependencies still declare a
# vulnerable version of Rake in their development dependencies, but do not pose
# a risk to Conjur.
CVE-2020-8130
# These vulnerabilites are present in the Ubuntu 18.04 base image and are being
# analyzed to determined their impact on the Conjur container image.
# Follow up issue: https://github.com/cyberark/conjur/issues/1461
CVE-2019-10220
CVE-2019-19813
CVE-2019-19814
CVE-2019-19816
# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake
# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert"
# TLS extension. this issue was fixed in OpenSSL 1.1.1g
#
# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will
# support fips module in newer versions
# This vulnerability this is not relevant to us as
# 1. The installed version (1.0.2u) does not support 1.3
# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with
# docker run -v /var/run/docker.sock:/var/run/docker.sock
# -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress
# --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0)
#
# Performed by @yahalomk approved by @shaharglazner
CVE-2020-1967
# CVE-2020-1971
# The X.509 GeneralName type is a generic type for representing different types
# of names. One of those name types is known as EDIPartyName. OpenSSL provides a
# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
# to see if they are equal or not. This function behaves incorrectly when both
# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
# may occur leading to a possible denial of service attack.
# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
#
# 1) Comparing CRL distribution point names between an available CRL and a CRL
# distribution point embedded in an X509 certificate.
#
# 2) When verifying that a timestamp response token signer matches the timestamp
# authority name (exposed via the API functions TS_RESP_verify_response and
# TS_RESP_verify_token) If an attacker can control both items being compared
# then that attacker could trigger a crash.
#
# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL
# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
#
# In order to support FIPS with OpenSSL we are required to use OpenSSL version
# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest
# available version to us is 1.0.2u, which does not include this fix.
#
# We've determined that we are not impacted by this vulnerability because:
# - we do not directly perform CRL checks in the Conjur or DAP software
# - we do not enable automatic CRL checks in openssl tools
# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose
# impacted behavior.
#
# Performed by @micahlee, approved by @andytinkham
CVE-2020-1971