Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical OS vulnerabilites in Docker image #110

Open
elchenberg opened this issue May 25, 2022 · 0 comments
Open

Critical OS vulnerabilites in Docker image #110

elchenberg opened this issue May 25, 2022 · 0 comments

Comments

@elchenberg
Copy link

Trivy detects 11 critical vulnerabilities in the operating system (packages) of the Docker image.

I do not know if there is a way to exploit them. For my peace of mind, I would like to get rid of them anyway. Please tell me if I should open a pull request.

Summary

With the following changes the number of OS-related critical vulnerabilities can be reduced from 11 to 1:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
 
 ARG EXPORTER_VERSION=2.3.8
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
                netcat \
+  && apt-get upgrade -y \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*

Caveat: I have not tested the resulting image.

Details

trivy image --severity=CRITICAL --vuln-type=os criteord/cassandra_exporter:2.3.8
criteord/cassandra_exporter:2.3.8 (debian 10.11)

Total: 11 (CRITICAL: 11)

┌───────────┬────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                             │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2021-33574 │ CRITICAL │ 2.28-10           │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-33574 │          │                   │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3  │ CVE-2019-8457  │ CRITICAL │ 5.3.28+dfsg1-0.5  │                  │ sqlite: heap out-of-bound read in function rtreenode()       │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
├───────────┼────────────────┤          ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292  │          │ 1.1.1d-0+deb10u8  │ 1.1.1n-0+deb10u2 │ openssl: c_rehash script allows command injection            │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
├───────────┤                │          │                   │                  │                                                              │
│ openssl   │                │          │                   │                  │                                                              │
│           │                │          │                   │                  │                                                              │
└───────────┴────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

By using a bullseye base image instead of the buster base image the number of critical vulnerabilities can be reduced to 3:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..aff83b3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
trivy image --severity=CRITICAL --vuln-type=os $(docker build --quiet --file docker/Dockerfile .)
sha256:156f7d236a8a5153f3e5f3ceadb5fac424c7933794f408599a1f79f0e7b66a3d (debian 11.3)

Total: 3 (CRITICAL: 3)

┌───────────┬───────────────┬──────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability │ Severity │ Installed Version │  Fixed Version   │                         Title                          │
├───────────┼───────────────┼──────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3  │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8  │                  │ sqlite: heap out-of-bound read in function rtreenode() │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-8457              │
├───────────┼───────────────┤          ├───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │          │ 1.1.1n-0+deb11u1  │ 1.1.1n-0+deb11u2 │ openssl: c_rehash script allows command injection      │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292              │
├───────────┤               │          │                   │                  │                                                        │
│ openssl   │               │          │                   │                  │                                                        │
│           │               │          │                   │                  │                                                        │
└───────────┴───────────────┴──────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────┘

And with adding apt-get upgrade to the mix the number can be reduced to 1:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
 
 ARG EXPORTER_VERSION=2.3.8
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
                netcat \
+  && apt-get upgrade -y \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
sha256:24f8301b5d6ce4da428a90eff88114627dee653418ea0308b103896d2bd740db (debian 11.3)

Total: 1 (CRITICAL: 1)

┌──────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├──────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8  │               │ sqlite: heap out-of-bound read in function rtreenode() │
│          │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457              │
└──────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elchenberg