Reporting a vulnerability
We are very grateful to the security researchers and users that report security vulnerabilities. We investigate each report thoroughly.
To make a report, send an email to the private email@example.com mailing list with the vulnerability details. For normal product bugs unrelated to latent security vulnerabilities, please head to the appropriate repository and submit a new issue .
Note that the Layer5 community spans four GitHub organizations:
- Layer5- emerging projects like GetNighthawk, community with MeshMates, a catch-all org.
- Meshery- Meshery and its components Meshery Operator and MeshSync.
- Service Mesh Performance- Service Mesh Performance specification and site.
- Service Mesh Patterns- a collection of curated patterns of service mesh use cases compatible with Meshery.
You can find the list of all the Layer5 project repositories here
When to report a security vulnerability?
Send us a report whenever you:
- Think Layer5 projects have a potential security vulnerability.
- Are unsure whether or how a vulnerability affects the project.
- Think a vulnerability is present in another project that Layer5 projects depends on (Docker for example).
When not to report a security vulnerability?
Don’t send a vulnerability report if:
- You need help tuning Layer5 project components for security.
- You need help applying security related updates.
- Your issue is not security related.
Instead, join the community Slack and ask questions.
The Layer5 team acknowledges and analyzes each vulnerability report within 10 working days.
Any vulnerability information you share with the Layer5 team stays within the respective Layer5 project. We don’t disseminate the information to other projects. We only share the information as needed to fix the issue.
We keep the reporter updated as the status of the security issue is addressed.
Fixing the issue
Once a security vulnerability has been fully characterized, a fix is developed by the Layer5 team. The development and testing for the fix happens in a private GitHub repository in order to prevent premature disclosure of the vulnerability.
The Layer5 project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable information to close Layer5 partners. The list is not intended for individuals to find out about security issues.
On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:
- Changes are merged from the private GitHub repository holding the fix into the appropriate set of public branches.
- Layer5 team ensures all necessary binaries are promptly built and published.
- Once the binaries are available, an announcement is sent out on the following channels:
- The Layer5 blog
- The Layer5 Twitter feed
- The #announcements channel on community Slack
As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to upgrading to a fixed version.
List of Announced Vulnerabilities:
|DATE ANNOUNCED||CVE ID||DESCRIPTION||AFFECTED COMPONENT||VULNERABLE VERSION||PATCHED VERSION||FIX DETAILS||LINKS|
|2021-04-28||CVE-2021-31856||A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).||REST API||v0.5.2||v0.5.3||fix pull||mitre, details|