bfe3b186d3
For #28837. Fixing this all of this because we got multiple reports from the community and customers and these were also detected by Amazon Inspector. - Fixes CVE-2025-22871 by upgrading Go from 1.24.1 to 1.24.2. - `docker scout` now fails the daily scheduled action if there are CRITICAL,HIGH CVEs (we missed setting `exit-code: true`). - Report CVE-2025-46569 as not affected by it because of our use of OPA's go package. - Report CVE-2024-8260 as not affected by it because Fleet doesn't run on Windows. - The `security/status.md` shows a lot of changes because we are now sorting CVEs so that newest come first. --- - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
5 KiB
Security
Directory contents
- status.md: Current status of vulnerabilities reported on Fleet software components by security scanners (trivy). This document is currently auto-generated from files in the
vex/directory. code/: Files used for vulnerability scanning on Fleet's source code.vex/: OpenVEX files to report status of vulnerabilities detected by Trivy on Fleet docker images.
Vulnerability scanning
The following Github CI actions perform daily vulnerability scanning on Fleet software components.
- trivy-scan.yml: Scan source code for vulnerabilities.
- build-and-check-fleetctl-docker-and-deps.yml: Scans for
HIGHandCRITICALvulnerabilities infleetctldocker image dependencies (fleetdm/fleetctl,fleetdm/wix, andfleetdm/bomutils). - goreleaser-snapshot-fleet.yaml: Scans for HIGH and CRITICAL vulnerabilities in
fleetdm/fleetdocker image before pushing to the Docker registry (runs daily and is triggered for every change in Fleet's source code). - check-vulnerabilities-in-released-docker-images.yml: Scans for
CRITICALvulnerabilities in the last 5 minor released versions of thefleetdm/fleetand on the latest release offleetdm/fleetctl.
Process to run when a CVE is reported
1. Update report (status.md)
If trivy reports a HIGH or CRITICAL CVE on one of Fleet's docker images (reported by the previously mentioned Github Actions), then we need to assess the report and track it with a status of "not affected", "affected", "fixed", or "under investigation".
We use the OpenVEX format to track the status of reported vulnerabilities (vex/ folder).
Once the status is determined, we use the vexctl tool to create a VEX file.
brew install vexctl
Example for CVE-2023-32698 on package github.com/goreleaser/nfpm/v2 which we know doesn't affect fleetdm/fleetctl:
vexctl create --product="fleetctl,pkg:golang/github.com/goreleaser/nfpm/v2" \
--vuln="CVE-2023-32698" \
--status="not_affected" \
--author="@getvictor" \
--justification="vulnerable_code_cannot_be_controlled_by_adversary" \
--status-note="When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions." > security/vex/fleetctl/CVE-2023-32698.vex.json
Similarly, for CVE-2024-8260 on package github.com/open-policy-agent/opa which we know doesn't affect fleetdm/fleet:
vexctl create --product="fleet,pkg:golang/github.com/open-policy-agent/opa" \
--vuln="CVE-2024-8260" \
--status="not_affected" \
--author="@lucasmrod" \
--justification="vulnerable_code_cannot_be_controlled_by_adversary" \
--status-note="Fleet doesn't run on Windows, so it's not affected by this vulnerability." > security/vex/fleetctl/CVE-2024-8260.vex.json
Examples of --product flag values (which accept "PURLs"):
liblzma5debian package:pkg:deb/debian/liblzma5.github.com/goreleaser/nfpm/v2golang package:pkg:golang/github.com/goreleaser/nfpm/v2.xerces/xercesImpljava package:pkg:maven/xerces/xercesImpl.
When new VEX files are generated or updated we can update the security/status.md file by running:
make vex-report
2. Update software
If the detected vulnerability can be fixed by updating the base docker image or removing/changing components in the docker image then we do so and the update will be present on the next release. (It is good practice to keep software up-to-date.)
3. Process for "affected" CRITICAL vulnerabilities
fleetdm/fleet
Following is the process to run when a CRITICAL CVE affects any of the five last releases of fleetdm/fleet docker image (reported by check-vulnerabilities-in-released-docker-images.yml).
- We will use the information reported by the scanner and update our
status.mdto keep users/customers informed. - If the
CRITICALvulnerability (that has a fix) is on thelatestrelease, we'll file a critical/P0 bug and release a patch ASAP (within 1 business day). The previous four versions scanned won't be retroactively patched, onlylatestwill be patched.
fleetdm/fleetctl
Following is the process to run when a CRITICAL CVE affects the released fleetdm/fleetctl:latest docker image:
- After
security/status.mdis updated, notify users/customers about the CVE in thefleetdm/fleetctlimage and possible remediations. - Create a Github issue with a
P0/securitylabel to track the fix. - The fix will be released on the next release of the
fleetdm/fleetctldocker image.