CHT Core Not Vulnerable
On 29 March 2024 an engineer at Microsoft discovered a powerful backdoor in the 5.6.0 and 5.6.1 releases of the xz utility. The most important thing to know is that no version of CHT Core is vulnerable to this backdoor despite it having the worst possible vulnerability score of 10. For more background, Ars Technica has a good overview and Gynvael Coldwind’s blog offers a deep, technical analysis.
The second most important thing to know is that the best defense against future vulnerabilities is to keep your systems up to date. Read on below for some specifics, but staying up to date is the best defense any deployment can do to protect critical systems with PII and PHI like the CHT Core.
This forum post will walk through how we did the analysis to determine that CHT Core isn’t vulnerable and how we protect against future vulnerabilities from upstream software we use (aka “supply chain attacks”).
Attack Vector
The way a vulnerability can be taken advantage of is known as the “attack vector”. In the case of xz vulnerability, this is via OpenSSH’s dynamic loading of the xz library. In turn, CHT Core’s attack vector would be its use of a Docker image that has included the upstream release of a vulnerable version of xz.
By default, SSH is not exposed when following our setup instructions for deploying CHT Core with either Docker Compose or k3s. However, assuming a deployment did expose SSH on a Docker service directly to the internet, is it still safe? Yes, it is! CHT Core is safe because it mostly uses Alpine Linux to build its Docker images and Alpine did not ship any release with this vulnerability. Further, Ubuntu is the Medic recommended operating system to use on bare-metal or VMs to host Docker. This is where SSH traditionally would be used in a CHT Core deployment, but we verified Ubuntu was also not affected.
Let’s dive one more layer deeper to be super duper sure we’re not vulnerable. We can look at the upstream images for all 7 services in the CHT Core:
- API: Uses Alpine
3.19.1, which was not affected - Sentinel: Uses Alpine
3.19.1, which was not affected - HAProx: Uses HAProxy
2.6, which in turn uses Debian, which was not affected - HAProxy Health Check: Uses Python
3.10.13, released before backdoor - nginx: Uses nginx version
1.25.1, released before backdoor - CouchDB: Uses CouchDB
3.3.3which in turn uses Debian, which was not affected - CHT Upgrade Service: Uses Alpine
3.15, released before backdoor
How we defend against supply chain attacks
With the release of CHT Core 4.0.0, CHT Core is no longer tied to a monolithic Docker image, known as Medic OS. Instead, for each CHT Core release, it now has the ability to easily update the 7 component Docker images as well as the software built into each image. For example, in the CHT Core 4.4.0 release, nginx was updated to the latest version. More recently, in 4.6.0, released less than a month ago, API’s Node JS version was updated to the most current long term release version at the time of release, 20.11.
In addition to updating our upstream Docker images, we have baked into our release process a way to update the Node JS libraries that CHT Core is dependant on. Earlier, we would do a manual dependency upgrade, but more recently we have moved to more regular, semi-automated updates to get the latest supply chain patches.
Required Actions for Production Deployments
Production deployments running Ubuntu are safe from this vulnerability and do not need to take any action. If you’re not running Ubuntu, you can double check your OS by checking JFrog’s page of affected operating systems.
Going forward, the best way to keep your project and data safe from future vulnerabilities is to stay current with CHT Core releases. This way, should there be any security concerns, it will be easy to upgrade to the latest version if you are already on current!