Impact of CVE-2021-3114 and CVE-2021-3115 on Mender

Hi there!

How do you consider the impact of CVE-2021-3114 [1] and CVE-2021-3115 [2] on Mender? Do you think this is critical? We are asking since warrior-v2020.10 is directly affected with version 1.14.7.

Best regards

[1] NVD - CVE-2021-3114
[2] NVD - CVE-2021-3115

Another one for your review @kacf.

Perhaps @eystein can confirm, but Iā€™m pretty sure Mender is not affected. Mender only uses RSA and the ED25519 curve.

Definitely not affected. Mender vendors all dependencies and does not rely on go get. In any case, this is a build time vulnerability, it does not affect deployed binaries.

1 Like

Hello @deffo

Thanks for bringing this up.

NVD - CVE-2021-3114

This seems to me to only affect the NIST P-224 elliptic curve use in Golang, as it refers to the file crypto/elliptic/p224.go.

If this is the case then Mender should not be affected:

  • Artifact sigatures support NIST P-256 and RSA
  • Communication uses TLS, and so it is theoretically possible to configure TLS to use this curve. Though this is not done by default in Mender (on-premise demo setup uses P-256 and hosted Mender uses RSA). This is also a very rare curve to use, I believe.