You are browsing unreleased documentation. See the latest documentation here.
Vulnerability Patching Process
Kong Gateway is primarily delivered as DEB, RPM & APK installable artifacts. Kong also offers Docker images with the artifacts preinstalled as a convenience to customers. At the time of release, all artifacts and images are patched, scanned and are free of publicly-known vulnerabilities.
Types of Vulnerabilities
Generally, there may be three types of vulnerabilities:
- In Kong Gateway code
- In third-party code that Kong Gateway directly links (such as OpenSSL, glibc, libxml2)
- In third-party code that is part of the convenience Docker image (such as Python, Perl, cURL, etc). This code is not part of Kong Gateway.
Vulnerabilities reported in Kong Gateway code will be assessed by Kong and if the vulnerability is validated, a CVSS3.0 score will be assigned. Based on the CVSS score, Kong will aim to produce patches for all applicable Kong Gateway versions currently under support within the SLAs below. The SLA clock starts from the day the CVSS score is assigned.
For a CVSS 3.0 Critical vulnerability (CVSS > 9.0), Kong will provide a workaround/recommendation as soon as possible. This will take the shape of a configuration change recommendation, if available. If there is no workaround/recommendation readily available, Kong will use continuous efforts to develop one. For a CVSS <9.0, Kong will use commercially-reasonable efforts to provide a workaround or patch within the applicable SLA period.
CVSS 3.0 Criticality | CVSS 3.0 Score | SLA |
---|---|---|
Critical | 9.0 - 10.0 | 15 days |
High | 7.0 - 8.9 | 30 days |
Medium | 4.0 - 6.9 | 90 days |
Low | 0.1 - 3.9 | 180 days |
Vulnerabilities reported in third party-code that Kong Gateway links directly must have confirmed CVE numbers assigned. Kong will aim to produce patches for all applicable Kong Gateway versions currently under support within the SLA reproduced in the table below. The SLA clock for these vulnerabilities starts from the day the upstream (third party) announces availability of patches.
CVSS 3.0 Criticality | CVSS 3.0 Score | SLA |
---|---|---|
Critical | 9.0 - 10.0 | 15 days |
High | 7.0 - 8.9 | 30 days |
Medium | 4.0 - 6.9 | 90 days |
Low | 0.1 - 3.9 | 180 days |
Vulnerabilities reported in third-party code that is part of the convenience Docker images are only addressed by Kong as part of the regularly scheduled release process. These vulnerabilities are not exploitable during normal Kong Gateway operations. Kong always applies all available patches when releasing a Docker image, but by definition images accrue vulnerabilities over time. All customers using containers are strongly urged to generate their own images using their secure corporate approved base images. Customers wishing to use the convenience images from Kong should always apply the latest patches for their Gateway version to receive the latest patched container images. Kong does not undertake to address third-party vulnerabilities in convenience images outside of the scheduled release mechanism.
Reporting Vulnerabilities in Kong code
If you are reporting a vulnerability in Kong code, we request you to follow the instructions in the Kong Vulnerability Disclosure Program.