Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14NXI1LTJxcngtcnFqOM4AA5ik

Transparent TLS may not be applied to Marbles with certain manifest configurations

Transparent TLS (TTLS) is a MarbleRun feature that wraps plain TCP connections between Marbles in TLS.
In the manifest, a user defines the connections that should be considered.

Impact

If a Marble is configured for TTLS, but doesn't have an environment variable defined in its parameters, TTLS is not applied.
The traffic will not be encrypted.

MarbleRun deployments that don't use TTLS (which is only available with EGo Marbles) are not affected.

Patches

The issue has been patched in v1.4.1.

Workarounds

Make sure that all Marbles that use TTLS have an environment variable defined in their parameters.

References

For a description of TTLS, see https://docs.edgeless.systems/marblerun/features/transparent-TLS
See the updated section on TTLS configuration in the manifest: https://docs.edgeless.systems/marblerun/workflows/define-manifest#tls

Permalink: https://github.com/advisories/GHSA-x5r5-2qrx-rqj8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NXI1LTJxcngtcnFqOM4AA5ik
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 months ago
Updated: about 2 months ago


CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-x5r5-2qrx-rqj8
References: Repository: https://github.com/edgelesssys/marblerun
Blast Radius: 5.5

Affected Packages

go:github.com/edgelesssys/marblerun
Dependent packages: 6
Dependent repositories: 4
Downloads:
Affected Version Ranges: < 1.4.1
Fixed in: 1.4.1
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0
All unaffected versions: 1.4.1