akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: update SECURITY.md with new vulnerability details and remediation plans

Browse Source
This commit is contained in:
GitHub Actions
2026-03-25 04:05:15 +00:00
parent 86023788aa
commit c9f4e42735
4 changed files with 1014 additions and 856 deletions
Download Patch File Download Diff File Expand all files Collapse all files

232
.grype.yaml
View File

@@ -4,83 +4,6 @@
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
ignore:
# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
# Severity: HIGH (CVSS 8.1)
# Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
# Status: Cannot upgrade — smallstep/certificates v0.30.0-rc2 still pins nebula v1.9.x
#
# Vulnerability Details:
# - ECDSA signature malleability allows bypassing certificate blocklists
# - Attacker can forge alternate valid P256 ECDSA signatures for revoked
# certificates (CVSSv3: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
# - Only affects configurations using Nebula-based certificate authorities
# (non-default and uncommon in Charon deployments)
#
# Root Cause (Compile-Time Dependency Lock):
# - Caddy is built with caddy-security plugin, which transitively requires
# github.com/smallstep/certificates. That package pins nebula v1.9.x.
# - Checked: smallstep/certificates v0.27.5 → v0.30.0-rc2 all require nebula v1.9.4v1.9.7.
# The nebula v1.10 API removal breaks compilation in the
# authority/provisioner package; xcaddy build fails with upgrade attempted.
# - Dockerfile caddy-builder stage pins nebula@v1.9.7 (Renovate tracked) with
# an inline comment explaining the constraint (Dockerfile line 247).
# - Fix path: once smallstep/certificates releases a version requiring
# nebula v1.10+, remove the pin and this suppression simultaneously.
#
# Risk Assessment: ACCEPTED (Low exploitability in Charon context)
# - Charon uses standard ACME/Let's Encrypt TLS; Nebula VPN PKI is not
# enabled by default and rarely configured in Charon deployments.
# - Exploiting this requires a valid certificate sharing the same issuer as
# a revoked one — an uncommon and targeted attack scenario.
# - Container-level isolation reduces the attack surface further.
#
# Mitigation (active while suppression is in effect):
# - Monitor smallstep/certificates releases at https://github.com/smallstep/certificates/releases
# - Weekly CI security rebuild flags any new CVEs in the full image.
# - Renovate annotation in Dockerfile (datasource=go depName=github.com/slackhq/nebula)
# will surface the pin for review when xcaddy build becomes compatible.
#
# Review:
# - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
# no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
# - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
# - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
#
# Removal Criteria:
# - smallstep/certificates releases a stable version requiring nebula v1.10+
# - Update Dockerfile caddy-builder patch to use the new versions
# - Rebuild image, run security scan, confirm suppression no longer needed
# - Remove both this entry and the corresponding .trivyignore entry
#
# References:
# - GHSA: https://github.com/advisories/GHSA-69x3-g4r3-p962
# - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
# - smallstep/certificates: https://github.com/smallstep/certificates/releases
# - Dockerfile pin: caddy-builder stage, line ~247 (go get nebula@v1.9.7)
- vulnerability: GHSA-69x3-g4r3-p962
package:
name: github.com/slackhq/nebula
version: "v1.9.7"
type: go-module
reason: |
HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
still requires nebula v1.9.x (verified across v0.27.5v0.30.0-rc2). Charon does
not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
expiry: "2026-04-12" # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
# Action items when this suppression expires:
# 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases
# 2. If a stable version requires nebula v1.10+:
# a. Update Dockerfile caddy-builder: remove the `go get nebula@v1.9.7` pin
# b. Optionally bump smallstep/certificates to the new version
# c. Rebuild Docker image and verify no compile failures
# d. Re-run local security-scan-docker-image and confirm clean result
# e. Remove this suppression entry
# 3. If no fix yet: Extend expiry by 14 days and document justification
# 4. If extended 3+ times: Open upstream issue on smallstep/certificates
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
# Severity: HIGH (CVSS 7.5)
# Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
@@ -153,161 +76,6 @@ ignore:
Risk accepted pending Alpine upstream patch.
expiry: "2026-04-18" # Initial 30-day review period. See libcrypto3 entry above for action items.
# CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
# Severity: CRITICAL (CVSS 9.1)
# Package: google.golang.org/grpc v1.74.2 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
# Status: Fix available at v1.79.3 — waiting on CrowdSec upstream to release with patched grpc
#
# Vulnerability Details:
# - gRPC-Go server path-based authorization (grpc/authz) fails to match deny rules when
# the HTTP/2 :path pseudo-header is missing its leading slash (e.g., "Service/Method"
# instead of "/Service/Method"), allowing a fallback allow-rule to grant access instead.
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
#
# Root Cause (Third-Party Binary):
# - Charon's own grpc dependency is patched to v1.79.3 (updated 2026-03-19).
# - CrowdSec ships grpc v1.74.2 compiled into its binary; Charon has no control over this.
# - This is a server-side vulnerability. CrowdSec uses grpc as a server; Charon uses it
# only as a client (via the Docker SDK). CrowdSec's internal grpc server is not exposed
# to external traffic in a standard Charon deployment.
# - Fix path: once CrowdSec releases a version built with grpc >= v1.79.3, rebuild the
# Docker image (Renovate tracks the CrowdSec version) and remove this suppression.
#
# Risk Assessment: ACCEPTED (Constrained exploitability in Charon context)
# - The vulnerable code path requires an attacker to reach CrowdSec's internal grpc server,
# which is bound to localhost/internal interfaces in the Charon container network.
# - Container-level isolation (no exposed grpc port) significantly limits exposure.
# - Charon does not configure grpc/authz deny rules on CrowdSec's server.
#
# Mitigation (active while suppression is in effect):
# - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
# - Weekly CI security rebuild flags the moment a fixed CrowdSec image ships.
#
# Review:
# - Reviewed 2026-03-19 (initial suppression): grpc v1.79.3 fix exists; CrowdSec has not
# yet shipped an updated release. Suppression set for 14-day review given fix availability.
# - Next review: 2026-04-02. Remove suppression once CrowdSec ships with grpc >= v1.79.3.
#
# Removal Criteria:
# - CrowdSec releases a version built with google.golang.org/grpc >= v1.79.3
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
# - Remove this entry and the corresponding .trivyignore entry simultaneously
#
# References:
# - GHSA-p77j-4mvh-x3m3: https://github.com/advisories/GHSA-p77j-4mvh-x3m3
# - CVE-2026-33186: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
# - grpc fix (v1.79.3): https://github.com/grpc/grpc-go/releases/tag/v1.79.3
# - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
- vulnerability: CVE-2026-33186
package:
name: google.golang.org/grpc
version: "v1.74.2"
type: go-module
reason: |
CRITICAL — gRPC-Go authorization bypass in grpc v1.74.2 embedded in /usr/local/bin/crowdsec
and /usr/local/bin/cscli. Fix available at v1.79.3 (Charon's own dep is patched); waiting
on CrowdSec upstream to release with patched grpc. CrowdSec's grpc server is not exposed
externally in a standard Charon deployment. Risk accepted pending CrowdSec upstream fix.
Reviewed 2026-03-19: CrowdSec has not yet released with grpc >= v1.79.3.
expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check CrowdSec releases.
# Action items when this suppression expires:
# 1. Check CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
# 2. If CrowdSec ships with grpc >= v1.79.3:
# a. Renovate should auto-PR the new CrowdSec version in the Dockerfile
# b. Merge the Renovate PR, rebuild Docker image
# c. Run local security-scan-docker-image and confirm grpc v1.74.2 is gone
# d. Remove this suppression entry and the corresponding .trivyignore entry
# 3. If no fix yet: Extend expiry by 14 days and document justification
# 4. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec
# CVE-2026-33186 (Caddy) — see full justification in the CrowdSec entry above
# Package: google.golang.org/grpc v1.79.1 (embedded in /usr/bin/caddy)
# Status: Fix available at v1.79.3 — waiting on a new Caddy release built with patched grpc
- vulnerability: CVE-2026-33186
package:
name: google.golang.org/grpc
version: "v1.79.1"
type: go-module
reason: |
CRITICAL — gRPC-Go authorization bypass in grpc v1.79.1 embedded in /usr/bin/caddy.
Fix available at v1.79.3; waiting on Caddy upstream to release a build with patched grpc.
Caddy's grpc server is not exposed externally in a standard Charon deployment.
Risk accepted pending Caddy upstream fix. Reviewed 2026-03-19: no Caddy release with grpc >= v1.79.3 yet.
expiry: "2026-04-02" # 14-day review: fix exists at v1.79.3; check Caddy releases.
# Action items when this suppression expires:
# 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases
# (or the custom caddy-builder in the Dockerfile for caddy-security plugin)
# 2. If a new Caddy build ships with grpc >= v1.79.3:
# a. Update the Caddy version pin in the Dockerfile caddy-builder stage
# b. Rebuild Docker image and run local security-scan-docker-image
# c. Remove this suppression entry and the corresponding .trivyignore entry
# 3. If no fix yet: Extend expiry by 14 days and document justification
# 4. If extended 3+ times: Open an issue on caddyserver/caddy
# GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
# Severity: HIGH (CVSS 7.5)
# Package: github.com/russellhaering/goxmldsig v1.5.0 (embedded in /usr/bin/caddy)
# Status: Fix available at v1.6.0 — waiting on a new Caddy release built with patched goxmldsig
#
# Vulnerability Details:
# - Loop variable capture in validateSignature causes the signature reference to always
# point to the last element in SignedInfo.References; an attacker can substitute signed
# element content and bypass XML signature integrity validation (CWE-347, CWE-682).
# - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
#
# Root Cause (Third-Party Binary):
# - Charon does not use goxmldsig directly. The package is compiled into /usr/bin/caddy
# via the caddy-security plugin's SAML/SSO support.
# - Fix path: once Caddy (or the caddy-security plugin) releases a build with
# goxmldsig >= v1.6.0, rebuild the Docker image and remove this suppression.
#
# Risk Assessment: ACCEPTED (Low exploitability in default Charon context)
# - The vulnerability only affects SAML/XML signature validation workflows.
# - Charon does not enable or configure SAML-based SSO in its default setup.
# - Exploiting this requires an active SAML integration, which is non-default.
#
# Mitigation (active while suppression is in effect):
# - Monitor caddy-security plugin releases: https://github.com/greenpau/caddy-security/releases
# - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases
# - Weekly CI security rebuild flags the moment a fixed image ships.
#
# Review:
# - Reviewed 2026-03-19 (initial suppression): goxmldsig v1.6.0 fix exists; Caddy has not
# yet shipped with the updated dep. Set 14-day review given fix availability.
# - Next review: 2026-04-02. Remove suppression once Caddy ships with goxmldsig >= v1.6.0.
#
# Removal Criteria:
# - Caddy (or caddy-security plugin) releases a build with goxmldsig >= v1.6.0
# - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
# - Remove this entry and the corresponding .trivyignore entry simultaneously
#
# References:
# - GHSA-479m-364c-43vc: https://github.com/advisories/GHSA-479m-364c-43vc
# - goxmldsig v1.6.0 fix: https://github.com/russellhaering/goxmldsig/releases/tag/v1.6.0
# - caddy-security plugin: https://github.com/greenpau/caddy-security/releases
- vulnerability: GHSA-479m-364c-43vc
package:
name: github.com/russellhaering/goxmldsig
version: "v1.5.0"
type: go-module
reason: |
HIGH — XML signature validation bypass in goxmldsig v1.5.0 embedded in /usr/bin/caddy.
Fix available at v1.6.0; waiting on Caddy upstream to release a build with patched goxmldsig.
Charon does not configure SAML-based SSO by default; the vulnerable XML signature path
is not reachable in a standard deployment. Risk accepted pending Caddy upstream fix.
Reviewed 2026-03-19: no Caddy release with goxmldsig >= v1.6.0 yet.
expiry: "2026-04-02" # 14-day review: fix exists at v1.6.0; check Caddy/caddy-security releases.
# Action items when this suppression expires:
# 1. Check caddy-security releases: https://github.com/greenpau/caddy-security/releases
# 2. If a new build ships with goxmldsig >= v1.6.0:
# a. Update the Caddy version pin in the Dockerfile caddy-builder stage if needed
# b. Rebuild Docker image and run local security-scan-docker-image
# c. Remove this suppression entry and the corresponding .trivyignore entry
# 3. If no fix yet: Extend expiry by 14 days and document justification
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
# Severity: HIGH (CVSS 7.5)
# Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)