HCSEC-2023-19 - Terraform Enterprise, Docker Engine, and Go’s CVE-2023-24540

Avatar
William Lee
  • Updated

Summary

HashiCorp has been taking ongoing action to respond to CVE 2023-24540. While these CVEs are unlikely to be exposed in TFE context, the TFE team has validated support for newer releases of Docker Engine on v202303 and later, and has updated documentation to reflect this change.

For context refer to the full security bulletin here.

Up until June 2023, Docker Engine 20.10 was the highest release officially supported by Terraform Enterprise (TFE). However, that version is no longer supported by Docker and was built using a version of Go that has since had a number of CVEs disclosed.

In order to reduce security risk and stay current with TFE development, users should consider running TFE v202303-1 or newer, and Docker Engine 24.0.

 

Remediation and Prevention
TFE users should evaluate the risk associated with this issue. In order to reduce security risk and stay current with TFE development, they should consider running TFE v202303-1 or newer, and Docker Engine 24.0.

 

  • Amazon Linux Users: The Replicated Installation script does not support the ability to pin a docker version on Amazon Linux. You will need to preinstall docker to a supported version for your TFE version (eg. 20.10.23) and use the no-docker flag while running the installation script. /install.sh no-docker.
  • Users using Auto Scaling Groups to install TFE 202306-1 and earlier will need to modify the launch template to install Docker Engine 24.0 outside of Replicated. 
  • Users who choose to continue using an older version of TFE and Docker Engine 20.10 will need to manually install Docker Engine before running the TFE installer (install.sh), or override the Docker version using the installer’s docker-version flag.

Options Overview

  • Do Nothing
    • If you are on TFE 202303-1 or higher and already using docker 24 no work is needed
    • If you choose not to remediate the issue and do not plan on installing a version of TFE prior to 202303-1, and are not using a process that automatically re-installs older versions, such as an Auto Scaling Group no action is needed. This is not a recommended approach.
  • Upgrade Docker
    • If you are already on TFE 202303-1 and not using docker 24, follow the steps here for your OS to upgrade docker.
  • Upgrade TFE and Docker
    • If you are on a TFE version older than 202303-1 you will need to upgrade TFE to at least version 202303-1 and Docker version 24.  Follow these steps here to upgrade TFE and the steps here for your OS to upgrade docker.
  • Pin your docker version
    • If you are installing a new instance of TFE older than 202303-1 you will need to use the docker version-flag /install.sh docker-version=20.10.8
    • If you are on a version of TFE older than 202303-1 and do not wish to update docker but regularly reinstall TFE you will need to use the docker version-flag /install.sh docker-version=20.10.8

 

Please submit a ticket via the webform for any questions regarding upgrades.

Please contact security-notifications@hashicorp.com for questions regarding the HCSEC-2023-19 - CVE

Articles in this section

See more

Related articles