tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #2745

zondervancalvez · 2023-10-05T08:53:13Z

Description

Vulnerabilities were found during the container scan of connector-besu image using Trivy.
See the list below:

LIBRARY	VULNERABILITY	AFFECTED VERSION	FIXED VERSION
libssl1.1 openssl	CVE-2023-0286	1.1.1f-1ubuntu2.16	1.1.1f-1ubuntu2.17
convict (package.json)	CVE-2022-21190 CVE-2022-22143	6.0.0	6.2.3 6.2.4
http-cache-semantics (package.json)	CVE-2022-25881	4.1.0	4.1.1
node-forge (package.json)	CVE-2022-24771 CVE-2022-24772	1.0.0	1.3.0
protobufjs (package.json)	CVE-2023-36665	6.11.3	7.2.4, 6.11.4
qs (package.json)	CVE-2022-24999	6.7.0	6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3,
socket.io-parser (package.json)	CVE-2023-32695 CVE-2022-2421	4.0.5 4.1.2	4.2.3, 3.4.3 4.0.5, 4.2.1, 3.3.3, 3.4.2

shubhankar-mern · 2023-10-08T17:52:37Z

@petermetz @zondervancalvez assign me

petermetz · 2023-10-09T18:15:46Z

@shubhankar-mern @aldousalvarez Please collaborate on it if possible (you've both volunteered to work on it)

zondervancalvez · 2023-11-06T05:11:56Z

@shubhankar-mern @aldousalvarez see updated vulnerabilities from latest scan

petermetz · 2023-11-06T20:26:45Z

@zondervancalvez Could you please make the issue title unique according to the guidelines we talked about previously?

…VE-2022-2421 Fixes hyperledger-cacti#2745 Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

…E-2022-2421 Fixes hyperledger-cacti#2745 Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

…E-2022-2421 Fixes hyperledger-cacti#2745 Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile 2. Updated the Dockerfile to use the yarn version 3 3. Updated the README to the new command to run the container Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

CVE-2023-36665, CVE-2022-2421 Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile 2. Updated the Dockerfile to use the yarn version 3 3. Updated the README to the new command to run the container Fixes hyperledger-cacti#2745 Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile 2. Updated the Dockerfile to use the yarn version 3 3. Updated the README to the new command to run the container Fixes hyperledger-cacti#2745 Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

Primary Changes ---------------- 1. Updated the version of the base image that is used in the Dockerfile 2. Updated the Dockerfile to use the yarn version 4 3. Updated the README to the new command to run the container Fixes hyperledger-cacti#2745 Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

petermetz added this to Cacti_Scrum_Project_v2_Release Oct 6, 2023

petermetz added bug Something isn't working Besu Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P2 Priority 2: High labels Oct 6, 2023

petermetz moved this to Todo in Cacti_Scrum_Project_v2_Release Oct 6, 2023

petermetz added this to the v2.0.0 milestone Oct 6, 2023

petermetz added good-first-issue Good for newcomers good-first-issue-400-expert labels Oct 6, 2023

petermetz assigned shubhankar-mern and aldousalvarez Oct 9, 2023

zondervancalvez moved this from Todo to In Progress in Cacti_Scrum_Project_v2_Release Oct 10, 2023

zondervancalvez moved this from In Progress to Todo in Cacti_Scrum_Project_v2_Release Oct 10, 2023

zondervancalvez changed the title ~~fix(security): vulnerabilities found in connector-besu~~ tools(connector-besu): address CVEs: CVE-2022-21190, CVE-2023-36665, CVE-2022-2421 Nov 8, 2023

jagpreetsinghsasan moved this from Todo to In Progress in Cacti_Scrum_Project_v2_Release Jan 25, 2024

aldousalvarez mentioned this issue Jan 26, 2024

build(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #3005

Merged

5 tasks

jagpreetsinghsasan moved this from In Progress to In review in Cacti_Scrum_Project_v2_Release Jan 29, 2024

jagpreetsinghsasan unassigned shubhankar-mern Jan 29, 2024

petermetz changed the title ~~tools(connector-besu): address CVEs: CVE-2022-21190, CVE-2023-36665, CVE-2022-2421~~ tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 Feb 7, 2024

petermetz closed this as completed in #3005 Jul 1, 2024

petermetz closed this as completed in bf92d3d Jul 1, 2024

github-project-automation bot moved this from In review to Done in Cacti_Scrum_Project_v2_Release Jul 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #2745

tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #2745

zondervancalvez commented Oct 5, 2023 •

edited

Loading

shubhankar-mern commented Oct 8, 2023

petermetz commented Oct 9, 2023

zondervancalvez commented Nov 6, 2023

petermetz commented Nov 6, 2023

tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #2745

tools(connector-besu): fix CVE-2022-21190 CVE-2023-36665 CVE-2022-2421 #2745

Comments

zondervancalvez commented Oct 5, 2023 • edited Loading

Description

shubhankar-mern commented Oct 8, 2023

petermetz commented Oct 9, 2023

zondervancalvez commented Nov 6, 2023

petermetz commented Nov 6, 2023

zondervancalvez commented Oct 5, 2023 •

edited

Loading