In our app-check, foundationdb (fdbcli, fdbserver and backup_agent) is getting flagged for CVE-2021-3450 . It appears this CVE is addressed in OpenSSL 1.1.1k.
Can someone let me know if foundationdb is really affected by this CVE or is there an open issue to upgrade OpenSSL to 1.1.k?
It looks like 6.2.30 was compiled against openssl-1.1.1h foundationdb/Dockerfile at c1acf5fc16a522b0f53b27874c88e21f5d34b251 · apple/foundationdb · GitHub , so it looks like your CVE scanner was correct and an openssl upgrade is needed.
It looks like the most recent 6.3.18 release was also compiled against 1.1.1h, so it too will need an update.
Thanks, @alexmiller for the confirmation.
I could not find any open issue in Github to upgrade OpenSSL. So opened Upgrade openssl to 1.1.1k for CVE-2021-3450 · Issue #5386 · apple/foundationdb · GitHub.