search

Azure / Azurite

A lightweight server clone of Azure Storage that simulates most of the commands supported by it with minimal dependencies
MIT License
1.8k stars 320 forks source link

Multiple high-severity vulnerabilities in Docker image #2361

Open WillStephen opened 7 months ago

WillStephen commented 7 months ago

The latest Docker image fails Trivy scans with five high-severity CVEs. There are two in the base image and three in Azurite itself.

$ docker run aquasec/trivy image mcr.microsoft.com/azure-storage/azurite:latest --severity HIGH,CRITICAL

mcr.microsoft.com/azure-storage/azurite:latest (alpine 3.17.3)
==============================================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ fixed  │ 3.0.8-r3          │ 3.0.12-r0     │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │        │                   │               │                                                        │
│ libssl3    │               │          │        │                   │               │                                                        │
│            │               │          │        │                   │               │                                                        │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Node.js (node-pkg)
==================
Total: 4 (HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │  Status  │ Installed Version │       Fixed Version        │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ansi-regex (package.json)           │ CVE-2021-3807  │ HIGH     │ fixed    │ 3.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ nodejs-ansi-regex: Regular expression denial of service    │
│                                     │                │          │          │                   │                            │ (ReDoS) matching ANSI escape codes                         │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                  │
│                                     │                │          │          ├───────────────────┤                            │                                                            │
│                                     │                │          │          │ 4.1.0             │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
│                                     │                │          │          │                   │                            │                                                            │
├─────────────────────────────────────┼────────────────┤          │          ├───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │          │          │ 3.8.1             │ 4.1.1                      │ http-cache-semantics: Regular Expression Denial of Service │
│                                     │                │          │          │                   │                            │ (ReDoS) vulnerability                                      │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
├─────────────────────────────────────┼────────────────┤          ├──────────┼───────────────────┼────────────────────────────┼────────────────────────────────────────────────────────────┤
│ ip (package.json)                   │ CVE-2023-42282 │          │ affected │ 1.1.5             │                            │ An issue in NPM IP Package v.1.1.8 and before allows an    │
│                                     │                │          │          │                   │                            │ attacker...                                                │
│                                     │                │          │          │                   │                            │ https://avd.aquasec.com/nvd/cve-2023-42282                 │
└─────────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────────────────┴────────────────────────────────────────────────────────────┘

We'd love to use Azurite but this is a bit of a problem for us - is there anyone working on updating the dependencies to fix these?

levpachmanov commented 7 months ago

Hi @WillStephen,

Unfortunately, the library is no longer maintained, so there is no public solution.

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.5-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

blueww commented 7 months ago

@EmmaZhu

Would you please help to look at the dependency issue?