search

BIDMCDigitalPsychiatry / LAMP-platform

The LAMP Platform (issues and documentation).
https://docs.lamp.digital/
Other
12 stars 10 forks source link

Please update dependencies #635

Closed liningpan closed 2 years ago

liningpan commented 2 years ago

Describe the bug Our container security scanning tool (trivy) is reporting critical and high severity vulnerabilities in the lamp-server and lamp-dashboard base image. For lamp-server, we can also see vulnerable node packages being used.

Let me know if you would like to see the output of our container scanning tool.

jtorous commented 2 years ago

Yes, please do share it with us.

-John

On Thu, May 12, 2022 at 3:23 PM Lining Pan @.***> wrote:

Describe the bug Our container security scanning tool (trivy) are reporting critical and high severity vulnerabilities in the lamp-server and lamp-dashboard base image. For lamp-server, we can also see vulnerable node packages being used.

Let me know if you would like to see the output of our container scanning tool.

— Reply to this email directly, view it on GitHub https://github.com/BIDMCDigitalPsychiatry/LAMP-platform/issues/635, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMFRAWYWBXMA6H3RLPR6LDVJVLELANCNFSM5VZHYHBA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

liningpan commented 2 years ago

lamp-dashboard:

ghcr.io/bidmcdigitalpsychiatry/lamp-dashboard@sha256:42e3e15c969ee77e111e3dc3fd79aa335e79b3b149bceea3a3b4ef5d913c9351 (alpine 3.15.4)
=====================================================================================================================================
Total: 11 (UNKNOWN: 0, LOW: 2, MEDIUM: 7, HIGH: 1, CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl     | CVE-2022-22576   | MEDIUM   | 7.80.0-r0         | 7.80.0-r1     | curl: OAUTH2 bearer bypass            |
|          |                  |          |                   |               | in connection re-use                  |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22576 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-27774   |          |                   |               | curl: credential leak on redirect     |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27774 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-27776   |          |                   |               | curl: auth/cookie leak on redirect    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27776 |
+          +------------------+----------+                   +               +---------------------------------------+
|          | CVE-2022-27775   | LOW      |                   |               | curl: bad local IPv6 connection reuse |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27775 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype | CVE-2022-27404   | CRITICAL | 2.11.1-r0         | 2.11.1-r1     | FreeType: Buffer Overflow             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27404 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcurl  | CVE-2022-22576   | MEDIUM   | 7.80.0-r0         | 7.80.0-r1     | curl: OAUTH2 bearer bypass            |
|          |                  |          |                   |               | in connection re-use                  |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-22576 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-27774   |          |                   |               | curl: credential leak on redirect     |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27774 |
+          +------------------+          +                   +               +---------------------------------------+
|          | CVE-2022-27776   |          |                   |               | curl: auth/cookie leak on redirect    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27776 |
+          +------------------+----------+                   +               +---------------------------------------+
|          | CVE-2022-27775   | LOW      |                   |               | curl: bad local IPv6 connection reuse |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27775 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libxml2  | CVE-2022-29824   | MEDIUM   | 2.9.13-r0         | 2.9.14-r0     | libxml2: integer overflows            |
|          |                  |          |                   |               | in xmlBuf and xmlBuffer               |
|          |                  |          |                   |               | lead to out-of-bounds write           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-29824 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| xz-libs  | CVE-2022-1271    | HIGH     | 5.2.5-r0          | 5.2.5-r1      | gzip: arbitrary-file-write            |
|          |                  |          |                   |               | vulnerability                         |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-1271  |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

lamp-server:

ghcr.io/bidmcdigitalpsychiatry/lamp-server@sha256:4a22e8f2b38f3cc878e2150c12d8f59a07c74f40002e4552328772662c6aa0b3 (alpine 3.14.3)
==================================================================================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 2)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox      | CVE-2022-28391   | CRITICAL | 1.33.1-r6         | 1.33.1-r7     | busybox: remote attackers may execute |
|              |                  |          |                   |               | arbitrary code if netstat is used     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2022-0778    | HIGH     | 1.1.1l-r0         | 1.1.1n-r0     | openssl: Infinite loop in             |
|              |                  |          |                   |               | BN_mod_sqrt() reachable               |
|              |                  |          |                   |               | when parsing certificates             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778  |
+--------------+                  +          +-------------------+---------------+                                       +
| libretls     |                  |          | 3.3.3p1-r2        | 3.3.3p1-r3    |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+                  +          +-------------------+---------------+                                       +
| libssl1.1    |                  |          | 1.1.1l-r0         | 1.1.1n-r0     |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2022-28391   | CRITICAL | 1.33.1-r6         | 1.33.1-r7     | busybox: remote attackers may execute |
|              |                  |          |                   |               | arbitrary code if netstat is used     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| zlib         | CVE-2018-25032   | HIGH     | 1.2.11-r3         | 1.2.12-r0     | zlib: A flaw found in                 |
|              |                  |          |                   |               | zlib when compressing (not            |
|              |                  |          |                   |               | decompressing) certain inputs...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-25032 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
2022-05-12T14:02:06.086-0400    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)
==================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 5, CRITICAL: 1)

+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |       FIXED VERSION        |                 TITLE                 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| ansi-regex (package.json) | CVE-2021-3807    | HIGH     | 3.0.0             | 3.0.1, 4.1.1, 5.0.1, 6.0.1 | nodejs-ansi-regex: Regular            |
|                           |                  |          |                   |                            | expression denial of service          |
|                           |                  |          |                   |                            | (ReDoS) matching ANSI escape codes    |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-3807  |
+                           +                  +          +-------------------+                            +                                       +
|                           |                  |          | 5.0.0             |                            |                                       |
|                           |                  |          |                   |                            |                                       |
|                           |                  |          |                   |                            |                                       |
|                           |                  |          |                   |                            |                                       |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| minimist (package.json)   | CVE-2021-44906   | CRITICAL | 1.2.5             | 1.2.6                      | minimist: prototype pollution         |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-44906 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| moment (package.json)     | CVE-2022-24785   | HIGH     | 2.29.1            | 2.29.2                     | Moment.js: Path traversal             |
|                           |                  |          |                   |                            |  in moment.locale                     |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2022-24785 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| nanoid (package.json)     | CVE-2021-23566   | MEDIUM   | 3.1.30            | 3.1.31                     | nanoid: Information disclosure        |
|                           |                  |          |                   |                            | via valueOf() function                |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-23566 |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
| node-fetch (package.json) | CVE-2022-0235    | HIGH     | 2.6.6             | 2.6.7, 3.1.1               | node-fetch: exposure of sensitive     |
|                           |                  |          |                   |                            | information to an unauthorized actor  |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2022-0235  |
+---------------------------+------------------+          +-------------------+----------------------------+---------------------------------------+
| simple-get (package.json) | CVE-2022-0355    |          | 3.1.0             | 2.8.2, 3.1.1, 4.0.1        | simple-get: exposure of sensitive     |
|                           |                  |          |                   |                            | information to an unauthorized actor  |
|                           |                  |          |                   |                            | -->avd.aquasec.com/nvd/cve-2022-0355  |
+---------------------------+------------------+----------+-------------------+----------------------------+---------------------------------------+
ZCOEngineer commented 2 years ago

We are going to review this today, shall updates comments on this soon.

sarithapillai8 commented 2 years ago

@avaidyam There are some new vulnerabilities. We are trying to update some packages. And after that we need to have a full round testing. We will update you ASAP.

divyav2020 commented 2 years ago

We have updated in Staging