nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon vesoft-inc

CVE on curl-7.80.0, openssl-1.1.1l

Open JunXie-ZH opened this issue 1 year ago • 6 comments

对nebula的二进制文件(主要是bin文件夹下的几个文件)进行了扫描,发现依赖开源组件curl-7.80.0、openssl-1.1.1l,这两个组件都是存在一些CVE漏洞的。这个官方有分析过不,nebula使用场景会触发这些漏洞吗

JunXie-ZH avatar Feb 19 '24 02:02 JunXie-ZH

@MuYiYong @Shinji-IkariG should we uplift to a version w/o CVE?

wey-gu avatar Feb 19 '24 03:02 wey-gu

Thank you for reporting the CVE incident. We will conduct a unified check and fix the upstream dependencies.

Shinji-IkariG avatar Feb 20 '24 02:02 Shinji-IkariG

@MuYiYong @Shinji-IkariG should we uplift to a version w/o CVE?

I think we should first confirm the number and impact of CVE incidents in all 3rd components. Let’s see what form the repair takes.

Shinji-IkariG avatar Feb 20 '24 02:02 Shinji-IkariG

@JunXie-ZH, btw. those two libs were not used by default.

  • the condition to trigger OpenSSL is when TLS between services is enabled
  • the curl is now only used when Full-text search is used(to talk to elastic search)

wey-gu avatar Feb 20 '24 02:02 wey-gu

@wey-gu Thanks! And what about the zlib? When will it be used?

JunXie-ZH avatar Feb 20 '24 09:02 JunXie-ZH

@wey-gu Thanks! And what about the zlib? When will it be used?

RocksDB leverages zlib as the compression lib, which is optional, and by default not used, lz4 instead is the default compression lib.

--rocksdb_compression=lz4

wey-gu avatar Feb 20 '24 09:02 wey-gu