Is Traefik vulnerable to CVE-2023-44487?

trinhpham · 2023-10-11T04:57:41.793Z

I use Traefik 2.x as the Ingress Controller for my production K8s cluster. Therefore, I'd like to know if it's vulnerable to CVE-2023-44487 or not.

Thanks for your reply

blanebramble · 2023-10-11T07:35:02.513Z

Can we also have a comment on Traefik 1.7 regarding CVE-2023-44487

nicomengin · 2023-10-11T08:34:56.881Z

Hello @trinhpham, @blanebramble,

Thanks for reaching out.

We are currently working on a fix for Traefik v2.10, we'll keep you updated about it once the new version is available.

As Traefik v1 is not maintained anymore, we haven't planned to bring the fix to Traefik v1.7.
You can find the list of the supported versions in the documentation.

js285 · 2023-10-11T08:40:09.083Z

Hello @nicomengin,

Thanks for keeping us updated.

Since this vulnerability has had a far reaching impact all around (Cloudflare, Google and AWS were affected) and the fix for Traefik is still to be relased, could you provide some guidance in the meanwhile on how to workdaround/mitigate this vulnerability?

svx · 2023-10-12T12:47:55.352Z

Hi @trinhpham @blanebramble and @js285

New versions of Traefik v2.10 and v3-beta are available on GitHub.

jokke · 2023-10-12T14:19:57.041Z

Hi svx,

Neither of the v2.10.5 nor the v3 beta4 release notes mention fix for the CVE, can you please confirm that the fix was included in v2.10.5 (released yesterday), pointer to the commit addressing this would be super helpful.

Thanks,
jokke

ldez · 2023-10-12T14:38:06.390Z

The fix is included in the 2 versions (v2.10.5 and v3.0.0-beta4).

jokke · 2023-10-12T14:41:35.853Z

Thanks all for swift response and fix for this vulnerability. Amazing work.

nicomengin · 2023-10-13T08:19:01.904Z

Hello @jokke,

Thanks for reaching out, we have updated both changelogs to add this information.
Moreover, we have published a topic summarizing the actions done to fix the CVEs.

Jancis · 2023-10-16T06:45:02.577Z

I was unable to pinpoint the actual fix in changeset so I could try to port it to traefik 1.x. Is it included in golang libraries and we'd only need to rebuild 1.x or there's some actual handling somewhere in the code?

svx · 2023-10-16T13:32:44.616Z

Hi @Jancis , thanks for your interest in Traefik!

You can find the PR with the related changes on GitHub.

As a reminder, Traefik v1 is EOL, you can find more information about supported versions on the release overview page.

system · 2023-10-19T13:33:18.467Z

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.