Project:
Snowplow Micro
Vulnerability:
The OpenSSL project team announced the release of OpenSSL version 3.0.7, which was made available on Tuesday, November 1st 2022. The update is a security fix for a high vulnerability in OpenSSL 3.0.x. The vulnerability is reported to affect version 3.0.x and does not impact OpenSSL 1.1.1 or LibreSSL.
Description:
Snowplow Micro is built to enable users to run automated test suites to ensure that new releases of their websites, mobile apps and server-side applications do not break the tracking set-up and Snowplow data collection.
Snowplow Micro is a very small version of a full Snowplow data collection pipeline: small enough that it can be launched by a test suite. Events can be recorded into Snowplow Micro just as they can a full Snowplow pipeline.
Snowplow Micro docker images are based on eclipse-temurin:11 / Ubuntu, which was affected by the OpenSSL vulnerability.
Impact:
The OpenSSL vulnerability could allow a denial of service (DoS) attack on the system or a remote code execution should this be exploited.
Solutions:
A fix has been introduced to the underlying Eclipse-Temurin / Ubuntu version to ensure that this vulnerability is successfully patched.
Micro users can get the patched version from Docker Hub by pulling the latest image: snowplow/snowplow-micro:1.3.4