Versions Compared

Old Version 1

changes.mady.by.user Malini Bhandaru

Saved on

compared with

New Version 2

changes.mady.by.user Malini Bhandaru

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

EdgeX grades security issues on the CVSS(Common Vulnerability Scoring System) scale.  The four levels are critical, high, medium and low level issues.

ComponentDescriptionSeverityAffected ReleasesIssue Link
Affected Releases
Fix TimelineResolution/Mitigation 
Database - MongoDBMongoDB is one of the data persistence solutions useable in EdgeX. The MongoDB 3.4.9 container base image  has known vulnerabilities stemming from its underlying base Linux image and some from MongoDB source itself..Medium

Delhi

Edinburgh

https://www.cvedetails.com/vulnerability-list/vendor_id-12752/product_id-25450/version_id-229891/Mongodb-Mongodb-3.4.9.html

Delhi

Edinburgh

Fuji

Pulling 4.0-xenial MongoDB package, which starts with a Debian base image that does not include a host of insecurities spanning Perl, OpenSSL etc, and some MongoDB specific fixes.

https://github.com/edgexfoundry/docker-edgex-mongo/commit/2c86e5e4359367177dc339556604c3af6fb9ee2a

Database

- MongoDB

access credentials in the clear

MongoDB
is one of the
and Redis are the available data persistence
solutions useable
layers in EdgeX.
The
While the access credentials (username and password) are
obtained from
in the clear for MongoDB, located in the configuration service (aka Consul) or
from
on the local file system
. Either route, the credentials are in the clear.
, Redis defaults to no authentication.  High

Delhi

Edinburgh


Fuji

EdgeX-using organizations should turn on the database access controls and institute a means to secure the data access credentials provided to the services.

Go net package vulnerabilities

net/http: Denial of Service vulnerabilities (ping and reset) in the HTTP/2 implementation


and 

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number.

High, High, Critical

Delhi

Edinburgh


https://nvd.nist.gov/vuln/detail/CVE-2019-9512

https://nvd.nist.gov/vuln/detail/CVE-2019-9514

https://nvd.nist.gov/vuln/detail/CVE-2019-14809

CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.

net/url: parsing validation issue

CVE-2019-14809 and Go issue golang.org/issue/29098.

Fuji