Security audit report
Vulnerability scanning
PactFlow uses the following tools to ensure the On-Premises image is kept as secure as possible.
- Bundler Audit
- NPM audit
- Trivy
- Quay Security Scanner
- Amazon ECR Image scanning
Reporting vulnerabilities
To report a vulnerability, please contact security and ensure you include the relevant CVE, and the name and/or path to the vulnerable component.
Identifying the correct Ruby version
Many scanning tools have trouble identifying the correct version of Ruby installed on an image because Ruby stores its gems in a directory path that uses the minor version of Ruby (eg. 2.7.0
) rather than the patch version (eg. 2.7.6
). This can be demonstrated by running the following command:
docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest environment
Example output (note the RUBY VERSION
of 2.7.6
while the GEM PATHS
use 2.7.0
):
RubyGems Environment:
- RUBYGEMS VERSION: 3.1.6
- RUBY VERSION: 2.7.6 (2022-04-12 patchlevel 219) [x86_64-linux-musl]
- INSTALLATION DIRECTORY: /usr/local/bundle
- USER INSTALLATION DIRECTORY: /root/.gem/ruby/2.7.0
- RUBY EXECUTABLE: /usr/local/bin/ruby
- GIT EXECUTABLE:
- EXECUTABLE DIRECTORY: /usr/local/bundle/bin
- SPEC CACHE DIRECTORY: /root/.gem/specs
- SYSTEM CONFIGURATION DIRECTORY: /usr/local/etc
- RUBYGEMS PLATFORMS:
- ruby
- x86_64-linux-musl
- GEM PATHS:
- /usr/local/bundle
- /root/.gem/ruby/2.7.0
- /usr/local/lib/ruby/gems/2.7.0
- GEM CONFIGURATION:
- :update_sources => true
- :verbose => true
- :backtrace => false
- :bulk_threshold => 1000
- "install" => "--no-document"
- "update" => "--no-document"
- REMOTE SOURCES:
- https://rubygems.org/
- SHELL PATH:
- /usr/local/bundle/bin
- /usr/local/sbin
- /usr/local/bin
- /usr/sbin
- /usr/bin
- /sbin
- /bin
The difficulty that tools have in identifying the correct version of Ruby can lead to false positives being reported. Please check the version of Ruby before submitting a vulnerability report.
Identifying the installed gem versions
To list the gems installed on the PactFlow image run:
docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest "list"
Known vulnerabilities
CVE-2015-9284
Component
omniauth gem
CVE
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
Detectable in versions of PactFlow
All.
Status
Non-exploitable.
Notes
This CVE is a CSRF vulnerability during sign in. This vulnerability is only exploitable if the initial request from the service provider to the identify provider is vulnerable to a CSRF attack because it uses a GET request without any CSRF protection. In PactFlow, this is not possible as PactFlow uses a POST request method with a CSRF token for the initial request to the IDP, as per the mitigation instructions here.
This can be observed by viewing the source of the login form.
<form action="https://example.com/auth/saml" method="post">
<input type="hidden" name="authenticity_token" value="i_nnrcJziCKKNMb-FRQtxot2ZE6nsNpIhC_AtsK5Boc=">
<button type="submit">SAML</button>
</form>
CVE-2022-2625
Description
Given certain prerequisites, this vulnerability allows arbitrary code to be run.
Component
postgresql14-dev package for Alpine
CVE
https://nvd.nist.gov/vuln/detail/CVE-2022-2625
Status
Non-exploitable.
Notes
This vulnerability applies to the PostgreSQL server only. The PactFlow Docker image only uses the PostgreSQL client, and hence is not affected by this vulnerability.
CVE-2022-37434
Description
A heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.
Component
zlib package for Alpine
CVE
https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Affected versions of PactFlow
All.
Status
Unfixed.
Notes
As of 24 August 2022, there is no fix available. A patch release of PactFlow will be put out as soon as a fix is available.
CVE-2021-41816
Component
The cgi library included in Ruby before 2.7.5 and 3.x before 3.0.3, and the cgi gem before 0.3.1.
CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-41816
Status
False positive.
Notes
This vulnerability only affects platforms that use a 4 byte long data type, typically Windows. The PactFlow base image uses 64 bit Alpine Linux, which uses an 8 byte long.
CVE-2020-36599
Description
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
Component
omniauth gem
Status
Non-exploitable.
Detectable in versions of PactFlow
Up to and including 1.19.2.
Fixed versions
1.19.3 and later.
Notes
PactFlow uses a custom failure endpoint so the vulnerable code is never executed.