The following is a list of known EdgeX security issues and vulnerabilities – and any associated Common Vulnerabilities and Exposures (CVE) reports to accompany the issue. CVE is a program for identifying, cataloging and addressing software and firmware vulnerabilities (see https://cve.mitre.org/). Nationally, the federal government runs the CVE program to help build a free, standardized list or dictionary of security vulnerabilities for organizations to use to improve their software’s exposure and posture to security threats.
EdgeX grades security issues on the CVSS(Common Vulnerability Scoring System) scale. The four levels are critical, high, medium and low level issues.
| Component | Description | Severity | Issue Link | Affected Releases | Fix Timeline | Resolution/Mitigation |
|---|---|---|---|---|---|---|
| Database - MongoDB | MongoDB is one of the data persistence solutions useable in EdgeX. The MongoDB 3.4.9 container base image has known vulnerabilities stemming from its underlying base Linux image and some from MongoDB source itself.. | Medium | https://www.cvedetails.com/vulnerability-list/vendor_id-12752/product_id-25450/version_id-229891/Mongodb-Mongodb-3.4.9.html | Delhi Edinburgh | Fuji | Pulling 4.0-xenial MongoDB package, which starts with a Debian base image that does not include a host of insecurities spanning Perl, OpenSSL etc, and some MongoDB specific fixes. https://github.com/edgexfoundry/docker-edgex-mongo/commit/2c86e5e4359367177dc339556604c3af6fb9ee2a |
Database - MongoDB access credentials in the clear | MongoDB is one of the data persistence solutions useable in EdgeX. The access credentials (username and password) are obtained from configuration service (aka Consul) or from the local file system. Either route, the credentials are in the clear. | |||||