Charon/docs/security/archive/accepted-risks.md

# Accepted Security Risks

This document tracks security vulnerabilities that have been assessed and accepted as low-risk, pending upstream patches.

---

## Alpine Linux Base Image Vulnerabilities

### CVE-2025-60876 (busybox, busybox-binsh, ssl_client)

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-11
**Severity**: Medium
**CVSS**: TBD

#### Affected Components

- **busybox**: 1.37.0-r20
- **busybox-binsh**: 1.37.0-r20
- **ssl_client**: 1.37.0-r20

#### Vulnerability Description

CVE-2025-60876 affects multiple busybox utilities in Alpine Linux 3.21. As of 2026-01-11, no patch is available from Alpine Security Team.

#### Risk Assessment

**Exploitability**: Low

- Requires local shell access or specific network conditions
- Not directly exposed through application APIs
- Container isolation limits attack surface

**Impact**: Limited

- busybox provides minimal shell utilities used for healthchecks and diagnostics
- ssl_client used internally by Alpine package manager
- No direct user input processing through these utilities

**Mitigation Strategies**:

1. **Container Isolation**: Running in containerized environment limits local access
2. **Network Policies**: Ingress/egress rules restrict network-based exploitation
3. **Non-Privileged Container**: Runs as non-root user (caddy user)
4. **Read-Only Filesystem**: Application code and binaries mounted read-only where possible

#### Monitoring Plan

- **Frequency**: Daily checks of Alpine Security advisories
- **Source**: <https://security.alpinelinux.org/vuln>
- **Alert Trigger**: Patch release for CVE-2025-60876
- **Action**: Rebuild Docker image with updated Alpine base

#### Remediation Timeline

- **Expected Upstream Fix**: TBD (monitoring Alpine Security Team)
- **Automatic Remediation**: Will be included in next Docker rebuild after Alpine patch
- **Review Date**: 2026-02-11 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-10966 (curl/libcurl)

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-11
**Severity**: Medium
**CVSS**: TBD

#### Affected Components

- **curl**: 8.14.1-r2
- **libcurl**: 8.14.1-r2 (implicit)

#### Vulnerability Description

CVE-2025-10966 affects libcurl in Alpine Linux 3.21. As of 2026-01-11, no patch is available from Alpine Security Team.

#### Risk Assessment

**Exploitability**: Medium

- Requires network access and specific request patterns
- curl used only in healthcheck scripts and manual debugging
- Not exposed directly to user input

**Impact**: Limited

- curl invoked only for internal health monitoring
- No user-controlled URLs passed to curl
- Healthcheck scripts use hardcoded localhost endpoints

**Mitigation Strategies**:

1. **Limited Usage**: curl only used for internal healthchecks (`http://localhost:8080/api/v1/health`)
2. **No User Input**: All curl invocations use hardcoded, internal URLs
3. **Container Isolation**: Network policies restrict external access
4. **Alternative Available**: Application can fall back to TCP socket checks

#### Monitoring Plan

- **Frequency**: Daily checks of Alpine Security advisories
- **Source**: <https://security.alpinelinux.org/vuln>
- **Alert Trigger**: Patch release for CVE-2025-10966
- **Action**: Rebuild Docker image with updated Alpine base

#### Remediation Timeline

- **Expected Upstream Fix**: TBD (monitoring Alpine Security Team)
- **Automatic Remediation**: Will be included in next Docker rebuild after Alpine patch
- **Review Date**: 2026-02-11 (30 days) or upon patch release, whichever is sooner

---

## Review Schedule

### Quarterly Security Review

- **Next Review**: 2026-04-11
- **Scope**: Re-assess all accepted risks, evaluate alternative base images
- **Attendees**: Security team, DevOps, Engineering Director

### Monthly Monitoring

- **Frequency**: First Monday of each month
- **Scope**: Check Alpine and upstream security advisories
- **Action**: Update this document if status changes

### Continuous Monitoring

- **Automated**: GitHub Dependabot, Renovate Bot
- **Manual**: Daily check of Alpine security feed during active incident periods

---

## Escalation Criteria

Accepted risks will be escalated to immediate remediation if:

1. **Severity Upgrade**: CVE severity upgraded to High or Critical
2. **Active Exploitation**: Evidence of active exploitation in the wild
3. **CISA KEV**: Added to CISA Known Exploited Vulnerabilities catalog
4. **Proof of Concept**: Public PoC demonstrating exploitability in containers
5. **Compliance Requirement**: Regulatory or audit requirement to remediate

---

## Alternative Mitigation Considered

### Switch to Distroless Base Image

**Status**: Under Evaluation
**Timeline**: Q1 2026

**Pros**:

- Minimal attack surface (no shell, no package manager)
- Faster security patches from Google
- Smaller image size

**Cons**:

- Debugging challenges (no shell access)
- May require custom healthcheck mechanisms
- Migration effort required

**Decision**: Continue monitoring Alpine CVEs while evaluating distroless for Q1 2026.

---

## Approval

**Approved By**: Engineering Director
**Date**: 2026-01-11
**Review Scheduled**: 2026-02-11

**Rationale**: The assessed risk from these Medium-severity Alpine CVEs is acceptable given:

1. Low exploitability in containerized environment
2. No upstream patches available
3. Effective mitigation strategies in place
4. Active monitoring for patches
5. No critical or high-severity vulnerabilities present

---

## References

- [Alpine Linux Security](https://security.alpinelinux.org/)
- [CVE-2025-60876 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-60876) (pending NVD update)
- [CVE-2025-10966 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-10966) (pending NVD update)
- [Supply Chain Remediation Plan](./supply-chain-no-cache-solution.md)
- [NIST SP 800-53: Security Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)