packeto buildpacks vulnerable to CVE-2024-45337 (Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass) in golang.org/x/crypto

[candrews]

Multiple paketo buildpacks report a vulnerability to CVE-2024-45337 due to including golang.org/x/crypto < 0.31.0.

I confirmed this vulnerability in:

• docker.io/paketobuildpacks/builder-jammy-buildpackless-tiny
• docker.io/paketobuildpacks/run-jammy-tiny
• gcr.io/paketo-buildpacks/bellsoft-liberica
• gcr.io/paketo-buildpacks/executable-jar
• gcr.io/paketo-buildpacks/spring-boot

1. Is this vulnerability exploitable for Paketo Buildpacks? I don't believe it's exploitable, but a statement/assessment from Paketo would be helpful.
2. When will the buildpacks to be updated to go 1.22.7 (or later) eliminating this vulnerability?

Trivy can be used to see this vulnerability being reported:

$ docker run -it aquasec/trivy:0.58.0 image gcr.io/paketo-buildpacks/spring-boot:5.31.2@sha256:bf8bb241b78825b01178233c75943c5db5a6bfcd9822413b87030edcc81c6dd9
2024-12-12T14:17:02Z	INFO	[vulndb] Need to update DB
2024-12-12T14:17:02Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T14:17:02Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
57.40 MiB / 57.40 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 9.75 MiB p/s 6.1s
2024-12-12T14:17:10Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-12-12T14:17:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T14:17:10Z	INFO	[secret] Secret scanning is enabled
2024-12-12T14:17:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T14:17:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T14:17:12Z	INFO	Number of language-specific files	num=2
2024-12-12T14:17:12Z	INFO	[gobinary] Detecting vulnerabilities...

cnb/buildpacks/paketo-buildpacks_spring-boot/5.31.2/bin/main (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                    Title                    │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ HIGH     │ fixed  │ v0.27.0           │ 0.31.0        │ Applications and libraries which misuse the │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCall ...              │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘

[dmikusa]

As is typical, I believe this is a false positive. See my comment here for background: paketo-buildpacks/bellsoft-liberica#760