Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve common CVEs #506

Open
Romiko opened this issue Jan 23, 2024 · 4 comments
Open

Resolve common CVEs #506

Romiko opened this issue Jan 23, 2024 · 4 comments

Comments

@Romiko
Copy link

Romiko commented Jan 23, 2024

The golang bookworm base image has some CVEs that may require resolving, I find these CVEs are common occurrence with many core Kubernentes containers such as Velero, External-DNS and Cert-Manager. Is it possible to resolve some of these on the base images in docker io?

CVE ID: GHSA-m425-mq94-257g
Fix Version:
1.56.3
Advisory URL:
GHSA-m425-mq94-257g
Description:
gRPC-Go HTTP/2 Rapid Reset vulnerability

CVE ID: GHSA-qppj-fm5r-hxr3
Fix Version:
1.56.3
Advisory URL:
GHSA-qppj-fm5r-hxr3
Description:
HTTP/2 Stream Cancellation Attack

CVE ID: CVE-2016-20013
Fix Version:
Not Fixed
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2016-20013
Description:
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

CVE ID: CVE-2023-5156
Fix Version:
2.35-0ubuntu3.5
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2023-5156
Description:
A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.

CVE ID: CVE-2015-5237
Fix Version:
Unknown
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
Description:
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

CVE ID: CVE-2015-5237
Fix Version:
Unknown
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
Description:
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

CVE ID: CVE-2022-42800
Fix Version:
Advisory URL:
https://nvd.nist.gov/vuln/detail/CVE-2022-42800
Description:
This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6.1, macOS Big Sur 11.7.1. A user may be able to cause unexpected app termination or arbitrary code execution.

@tianon
Copy link
Member

tianon commented Jan 23, 2024

This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6.1, macOS Big Sur 11.7.1.

You might want to talk to your scanner vendor about false positives here. 😅

(We don't have any macOS or iOS images.)

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

@Romiko
Copy link
Author

Romiko commented Jan 23, 2024

Thank you. Indeed, many we classify as false positives. I will discuss this with Calico Cloud - Tigera as we leverage their Container Scanning tools.

@Romiko
Copy link
Author

Romiko commented Jan 24, 2024

The Golang Bookworm image is used to build the Velero binary, and paketobuildpacks/run-jammy-tiny:0.2.11 is used as the base image to build the Velero image.

So the vulnerabilities are reported for image paketobuildpacks/run-jammy-tiny:0.2.11.

I checked the repository's latest version. The vulnerabilities reported binary versions are not bumped.
https://github.com/paketo-buildpacks/jammy-tiny-stack/releases/tag/v0.2.24

@LaurentGoderre
Copy link
Member

@Romiko maybe the app could switch to a multi-strage build that copies the built output to a more minimal image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants