Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] (possible?) RCE because of acme.sh - update from 2.9.0 to latest version #1035

Closed
Luka5W opened this issue Jun 10, 2023 · 0 comments · Fixed by #1087
Closed

[CVE] (possible?) RCE because of acme.sh - update from 2.9.0 to latest version #1035

Luka5W opened this issue Jun 10, 2023 · 0 comments · Fixed by #1087

Comments

@Luka5W
Copy link

Luka5W commented Jun 10, 2023
edited
Loading

Bug description

This image/ project is based on acmesh-official/acme.sh which had a CVE with possible RCE 2 days ago, already exploited by the (former) chinese CA 'HiCA' (The issue is very entertaining to read btw 😏).

To be sure I've executed:

$ docker exec $container-name cat /app/acme.sh | grep "VER="
VER=2.9.0

I have not tested if a RCE is possible though.

Solution:

  1. Check if acme.sh can be updated to the latest version (hotfix, v3.0.6)
    • Shouldn't cause problems. Only v3.0.0 looks like a bigger change - But verify by yourslef.
  2. Replace version in the Dockerfile#L6 to download the newer script

That should be all, but I don't know since I'm not involved in this project.

acme-companion image version

Info: running acme-companion version v2.2.8

nginx-proxy's Docker configuration, rendered nginx configuration, Containers logs, Docker host

N/A
burned42 added a commit to burned42/acme-companion that referenced this issue Jun 20, 2023
@burned42
use acme.sh version 3.0.6
50cb556 
requires not removing the path from the acme url anymore as in version
3.0.0 acme.sh removed the special handling of the 'directory' path in
the url and just keeps the path as is, so acme-companion needs to do
the same

see acmesh-official/acme.sh@593e8e1

Fixes nginx-proxy#1035
@buchdag buchdag mentioned this issue Jan 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: acme.sh 2.9.0 -> 3.0.7 nginx-proxy/acme-companion
1 participant
@Luka5W