🐛Cloudflared is vulnerable to CVE-2024-24790

[matthias2]

Describe the bug
Cloudflared is vulnerable to the stdlib that is in the Golang 1.22.2 version in module net/netip. It is 9.8/10 critical as shown in the vulnerability CVE-2024-24790.

To Reproduce
Steps to reproduce the behavior:

$ wget -q https://github.com/cloudflare/cloudflared/releases/download/2024.8.2/cloudflared-fips-linux-amd64

$ govulncheck -mode binary cloudflared-fips-linux-amd64
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/http@go1.22.2
    Fixed in: net/http@go1.22.5
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.Do
      #3: http.Client.Get
      #4: http.Client.Head
      #5: http.Client.Post
      Use '-show traces' to see the other 4 found symbols

Vulnerability #2: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/netip@go1.22.2
    Fixed in: net/netip@go1.22.4
    Vulnerable symbols found:
      #1: netip.Addr.IsGlobalUnicast
      #2: netip.Addr.IsInterfaceLocalMulticast
      #3: netip.Addr.IsLinkLocalMulticast
      #4: netip.Addr.IsLoopback
      #5: netip.Addr.IsMulticast
      Use '-show traces' to see the other 1 found symbols

Vulnerability #3: GO-2024-2824
    Malformed DNS message can cause infinite loop in net
  More info: https://pkg.go.dev/vuln/GO-2024-2824
  Standard library
    Found in: net@go1.22.2
    Fixed in: net@go1.22.3
    Vulnerable symbols found:
      #1: net.Dial
      #2: net.DialTimeout
      #3: net.Dialer.Dial
      #4: net.Dialer.DialContext
      #5: net.Listen
      Use '-show traces' to see the other 19 found symbols

Vulnerability #4: GO-2024-2785
    CoreDNS may return invalid cache entries in github.com/coredns/coredns
  More info: https://pkg.go.dev/vuln/GO-2024-2785
  Module: github.com/coredns/coredns
    Found in: github.com/coredns/coredns@v1.10.0
    Fixed in: github.com/coredns/coredns@v1.11.2
    Vulnerable symbols found:
      #1: cache.Cache.ServeDNS
      #2: cache.ResponseWriter.WriteMsg
      #3: cache.verifyStaleResponseWriter.WriteMsg

Your code is affected by 4 vulnerabilities from 1 module and the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

Expected behavior
No Vulns show up.

Environment and versions

• OS: Linux
• Architecture: amd64
• Version: 2024.08.2

Additional context
Upgrade Golang version to at least 1.22.4

[Ahmed-Alhameedawi]

Is there any eta on this? Do you mind explaining why a critical CVE is marked as a normal priority?

[MilitaoLucas]

Is it applicable in this case? Is a vulnerable function of stdlib being used?

"but your code doesn't appear to call these vulnerabilities."

Here is your answer. This is a non-serious issue and should be fixed with normal priority.

[itaysk]

Hi There, I'm Itay from Aqua Security, creators of popular OSS vulnerability scanner Trivy. This issue was flagged for me and I wanted to chime in to add that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub
This might be a good opportunity to add a VEX statement to suppress this irrelevant vulnerability, so that your users who scan your artifact with Trivy, or other VEX-enabled scanners, will have peace of mind that your are aware of it and concluded it not relevant. Feel free to reach me or the Trivy team if you have any issues/feedback.

[mikocot]

Is it applicable in this case? Is a vulnerable function of stdlib being used?

"but your code doesn't appear to call these vulnerabilities."

Here is your answer. This is a non-serious issue and should be fixed with normal priority.

The vulnerability is fixed in 1.22.4 so this should be a relatively minor change for you. You might not consider this vulnerability applicable to your code, but effectively it tags the whole image as insecure and it does not pass scans by standard cybersec tools.

Ultimately that greatly reduces trust to cloudflare products or may render it completely unusable in more rigid corporate environments. Especially since Cloudflare products are ultimately meant to improve security and are used in the most sensitive and exposed applications.