Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The following is a list of known EdgeX security issues and vulnerabilities – and any associated Common Vulnerabilities and Exposures (CVE) reports to accompany the issue. CVE is a program for identifying, cataloging and addressing software and firmware vulnerabilities (see https://cve.mitre.org/).  Nationally, the federal government runs the CVE program to help build a free, standardized list or dictionary of security vulnerabilities for organizations to use to improve their software’s exposure and posture to security threats.

EdgeX grades security issues on the CVSS(Common Vulnerability Scoring System) scale.  The four levels are critical, high, medium and low level issues.

ComponentDescriptionSeverityIssue LinkAffected ReleasesFix TimelineResolution/Mitigation 
Database - MongoDBMongoDB is one of the data persistence solutions useable in EdgeX. The MongoDB 3.4.9 container base image  has known vulnerabilities stemming from its underlying base Linux image and some from MongoDB source itself..Mediumhttps://www.cvedetails.com/vulnerability-list/vendor_id-12752/product_id-25450/version_id-229891/Mongodb-Mongodb-3.4.9.html

Delhi

Edinburgh

Fuji

Pulling 4.0-xenial MongoDB package, which starts with a Debian base image that does not include a host of insecurities spanning Perl, OpenSSL etc, and some MongoDB specific fixes.

https://github.com/edgexfoundry/docker-edgex-mongo/commit/2c86e5e4359367177dc339556604c3af6fb9ee2a

Database - MongoDB

access credentials in the clear

MongoDB is one of the data persistence solutions useable in EdgeX. The access credentials (username and password) are obtained from configuration service (aka Consul) or from the local file system. Either route, the credentials are in the clear.





















































  • No labels