Impact of CVE-2021-3114 and CVE-2021-3115 on Mender

deffo · February 4, 2021, 9:10am

Hi there!

How do you consider the impact of CVE-2021-3114 [1] and CVE-2021-3115 [2] on Mender? Do you think this is critical? We are asking since warrior-v2020.10 is directly affected with version 1.14.7.

Best regards

[1] NVD - CVE-2021-3114
[2] NVD - CVE-2021-3115

drewmoseley · February 4, 2021, 1:56pm

Another one for your review @kacf.

kacf · February 5, 2021, 8:01am

Perhaps @eystein can confirm, but I’m pretty sure Mender is not affected. Mender only uses RSA and the ED25519 curve.

Definitely not affected. Mender vendors all dependencies and does not rely on go get. In any case, this is a build time vulnerability, it does not affect deployed binaries.

eystein · February 5, 2021, 4:46pm

Hello @deffo

Thanks for bringing this up.

NVD - CVE-2021-3114

This seems to me to only affect the NIST P-224 elliptic curve use in Golang, as it refers to the file crypto/elliptic/p224.go.

If this is the case then Mender should not be affected:

Artifact sigatures support NIST P-256 and RSA
Communication uses TLS, and so it is theoretically possible to configure TLS to use this curve. Though this is not done by default in Mender (on-premise demo setup uses P-256 and hosted Mender uses RSA). This is also a very rare curve to use, I believe.

Topic		Replies	Views
Impact of CVE-2021-27918 on Mender General Discussions yocto , warrior , security	1	545	March 22, 2021
Impact of certain CVEs on Mender General Discussions yocto , security , dunfell	2	365	August 16, 2021
Impact of CVE-2021-31525 and CVE-2021-33194 on Mender General Discussions security	2	341	July 2, 2021
Impact of CVE-2020-29510 on Mender General Discussions yocto , warrior , security	2	575	February 1, 2021
Impact of CVE-2021-29923 and CVE-2021-36221 on Mender General Discussions	1	262	August 26, 2021

Impact of CVE-2021-3114 and CVE-2021-3115 on Mender

Related Topics