Image contains vulnerable OpenSSL (CVE-2022-0778)

[sardobi]

Heya,

First time engaging with the Consul community, apologies if this isn't the right place to raise this. (I don't think this is a matter of responsible disclosure since it relates to a known & already disclosed vulnerability in one of Consul's dependencies.)

Our vulnerability scans are picking up CVE-2022-0778 being present in the Consul docker image (an OpenSSL vulnerability allowing crafted certs to create infinite validation loops).

It looks like Consul's container image is based on Alpine 3.13.7 and now 3.13.8 is available with a fixed version of OpenSSL. The fix is being rolled out pretty quickly.

Is there a plan to patch release the docker image with the fix? (I'd raise a PR but I think it literally may just be building again on the new Alpine patch.)

[Amier3]

Hey @sardobi

We're tracking this vulnerability internally and plan to release a fix in the near future. I'll keep this issue open and updated as this goes along 👍 .

In the future, both this repo and the main consul repo works for reporting these kind of reports. Thank you for for making this issue and welcome to the Consul community!