cimg/node:14.17.4 policykit vulnerability CVE-2021-4034

[hamisor]

cimg/node:14.17.4 which uses cimg/base:2021.07 as the base has policykit-1/now 0.105-26ubuntu1.1 amd64 installed which is subject to the vulnerability CVE-2021-4034.

Ubuntu has pushed out new policykit-1 patch to mitigate this issue.

I can see the latest base image cimg/base:2022.02-20.04 has the updated policykit-1 0.105-26ubuntu1.2 installed.

I would like to request an update of the base image for cimg/node:14.17.4 or any other node images use the cimg/base:2021.07 image.

[JalexChen]

Hi @hamisor,

Thanks for letting us know - if you were interested in making these changes on your end in the meantime, you could run ./shared/gen-dockerfiles.sh 14.17.4 in your shell and it will generate a new Dockerfile that uses our latest base image, which points to cimg/base:2022.01.

However, since we want these images to be deterministic at the time they were created, we won't be updating the images fof 14.17.4 on our end

[FelicianoTech]

I'd like to add, sudo apt-get update and sudo apt-get -y upgrade can be run in the image to update the policykit package to one with a fix. Or instead of "upgrade", an install of a specific package will just update that one, saving some time.

Most importantly though, this CVE doesn't really affect a CI build unless you are incorporating one of Ubuntu's packages into your own code. The privilege escalation is not a danger because we allow password sudo access in the first place in the image. The image already allows easier access to root then the CVE would.

[hamisor]

thanks for the clarification @felicianotech. We are only using this node image for the circle ci build not as the base of our application, so it is not a priority to update the base image at all. Just wondering how often this node image gets updated with the base image?