Vulnerability Patching Process
Kong Mesh is primarily delivered as binary file artifacts. Kong also offers Docker images with the artifacts preinstalled as a convenience to customers. At the time of release, all artifacts and images are patched, scanned, and are free of publicly-known vulnerabilities.
Types of vulnerabilities
Generally, there may be three types of vulnerabilities:
- In Kong Mesh code.
- In third-party code that Kong Mesh directly links (such as Envoy, CoreDNS, OPA, and so on).
- In third-party code that is part of the convenience Docker image (such as Python, Perl, cURL, and so on). This code is not part of Kong Mesh.
Vulnerabilities reported in Kong Mesh code will be assessed by Kong. If the vulnerability is validated, a CVSS3.0 score will be assigned. Based on the CVSS score, Kong will aim to produce patches for all applicable Kong Mesh versions currently under support within the SLAs below. The SLA clock starts from the day the CVSS score is assigned.
For a CVSS 3.0 Critical vulnerability (CVSS > 9.0), Kong will provide a workaround or recommendation as soon as possible. This will take the shape of a configuration change recommendation, if available. If there is no workaround or recommendation readily available, Kong will use continuous efforts to develop one.
For a CVSS < 9.0, Kong will use commercially-reasonable efforts to provide a workaround or patch within the applicable SLA period.
CVSS 3.0 Criticality | CVSS 3.0 Score | SLA |
---|---|---|
Critical | 9.0 - 10.0 | 15 days |
High | 7.0 - 8.9 | 30 days |
Medium | 4.0 - 6.9 | 90 days |
Low | 0.1 - 3.9 | 180 days |
Vulnerabilities reported in third-party code that Kong Mesh links directly must have confirmed CVE numbers assigned. Kong will aim to produce patches for all applicable Kong Mesh versions currently under support within the SLA reproduced in the table below. The SLA clock for these vulnerabilities starts from the day the upstream (third party) announces availability of patches.
CVSS 3.0 Criticality | CVSS 3.0 Score | SLA |
---|---|---|
Critical | 9.0 - 10.0 | 15 days |
High | 7.0 - 8.9 | 30 days |
Medium | 4.0 - 6.9 | 90 days |
Low | 0.1 - 3.9 | 180 days |
Vulnerabilities reported in third-party code that is part of the convenience Docker images are only addressed by Kong as part of the regularly scheduled release process. These vulnerabilities are not exploitable during normal Kong Mesh operations. Kong always applies all available patches when releasing a Docker image, but by definition images accrue vulnerabilities over time. All customers using containers are strongly urged to generate their own images using their secure corporate-approved base images. Customers wishing to use the convenience images from Kong should always apply the latest patches for their Gateway version to receive the latest patched container images. Kong does not undertake to address third-party vulnerabilities in convenience images outside of the scheduled release mechanism.
Reporting vulnerabilities in Kong code
If you are reporting a vulnerability in Kong code, we request you to follow the instructions in the Kong Vulnerability Disclosure Program.