Hi there!
How do you consider the impact of CVE-2021-3114 [1] and CVE-2021-3115 [2] on Mender? Do you think this is critical? We are asking since warrior-v2020.10 is directly affected with version 1.14.7.
Best regards
Another one for your review @kacf.
Perhaps @eystein can confirm, but Iām pretty sure Mender is not affected. Mender only uses RSA and the ED25519 curve.
Definitely not affected. Mender vendors all dependencies and does not rely on go get. In any case, this is a build time vulnerability, it does not affect deployed binaries.
1 Like
Hello @deffo
Thanks for bringing this up.
This seems to me to only affect the NIST P-224 elliptic curve use in Golang, as it refers to the file crypto/elliptic/p224.go.
If this is the case then Mender should not be affected:
- Artifact sigatures support NIST P-256 and RSA
- Communication uses TLS, and so it is theoretically possible to configure TLS to use this curve. Though this is not done by default in Mender (on-premise demo setup uses P-256 and hosted Mender uses RSA). This is also a very rare curve to use, I believe.
2 Likes