I am looking to ship gemini into a cluster, but in scanning the image the following CVEs were flagged:
ECR scan discovered security vulnerabilities affecting package(s) in quay/fairwinds/gemini container image. See details below.
CVE-ID: CVE-2023-5363
Vulnerable Package: openssl
Severity: HIGH
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r0 | Alpine:v3.18 - 3.1.4-r0 | Alpine:v3.19 - 3.1.4-r0
CVE-ID: CVE-2023-5678
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1w-r1 | Alpine:v3.16 - 1.1.1w-r1 | Alpine:v3.17 - 3.0.12-r1 | Alpine:v3.18 - 3.1.4-r1
CVE-ID: CVE-2023-3446
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1u-r2 | Alpine:v3.15 - 3.0.9-r2 | Alpine:v3.16 - 1.1.1u-r2 | Alpine:v3.16 - 3.0.9-r2 | Alpine:v3.17 - 3.0.9-r3 | Alpine:v3.18 - 3.1.1-r3 | Alpine:v3.19 - 3.1.1-r3
CVE-ID: CVE-2024-0727
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r4 | Alpine:v3.18 - 3.1.4-r5 | Alpine:v3.19 - 3.1.4-r5
CVE-ID: CVE-2023-3817
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1v-r0 | Alpine:v3.15 - 3.0.11-r0 | Alpine:v3.16 - 1.1.1v-r0 | Alpine:v3.16 - 3.0.11-r0 | Alpine:v3.17 - 3.0.10-r0 | Alpine:v3.18 - 3.1.2-r0 | Alpine:v3.19 - 3.1.2-r0
CVE-ID: CVE-2023-2975
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 3.0.9-r1 | Alpine:v3.16 - 3.0.9-r1 | Alpine:v3.17 - 3.0.9-r2 | Alpine:v3.18 - 3.1.1-r2 | Alpine:v3.19 - 3.1.1-r2
CVE-ID: CVE-2023-6129
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r2 | Alpine:v3.18 - 3.1.4-r3 | Alpine:v3.19 - 3.1.4-r3
CVE-ID: CVE-2023-2650
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1u-r0 | Alpine:v3.15 - 3.0.9-r0 | Alpine:v3.16 - 1.1.1u-r0 | Alpine:v3.16 - 3.0.9-r0 | Alpine:v3.17 - 3.0.9-r0 | Alpine:v3.18 - 3.1.1-r0 | Alpine:v3.19 - 3.1.1-r0
What did you expect to happen?
I would like to see these CVEs resolved, or at least a resolution to the highest severity vulnerabilities that have been flagged.
How can we reproduce this?
Although the list may vary, any image scanning tool with provide a similar list of CVEs. The simplest way being a scout scan using docker:
▶ docker scout cves quay.io/fairwinds/gemini:2.0
i New version 1.7.0 available (installed version is 1.5.0) at https://github.com/docker/scout-cli
✓ SBOM of image already cached, 66 packages indexed
✗ Detected 4 vulnerable packages with a total of 47 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────
Target │ quay.io/fairwinds/gemini:2.0
digest │ f5a22ff274f2
platform │ linux/arm64
vulnerabilities │ 2C 20H 19M 0L 8?
size │ 18 MB
packages │ 66
## Packages and Vulnerabilities
2C 18H 8M 0L 6? stdlib 1.19.1
pkg:golang/stdlib@1.19.1
✗ CRITICAL CVE-2023-24540
https://scout.docker.com/v/CVE-2023-24540
Affected range : <1.19.9
Fixed version : 1.19.9
✗ CRITICAL CVE-2023-24538
https://scout.docker.com/v/CVE-2023-24538
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-29403
https://scout.docker.com/v/CVE-2023-29403
Affected range : <1.19.10
Fixed version : 1.19.10
✗ HIGH CVE-2023-45287
https://scout.docker.com/v/CVE-2023-45287
Affected range : <1.20.0
Fixed version : 1.20.0
✗ HIGH CVE-2023-45283
https://scout.docker.com/v/CVE-2023-45283
Affected range : <1.20.11
Fixed version : 1.20.11
✗ HIGH CVE-2023-39325
https://scout.docker.com/v/CVE-2023-39325
Affected range : <1.20.10
Fixed version : 1.20.10
✗ HIGH CVE-2023-24537
https://scout.docker.com/v/CVE-2023-24537
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-24536
https://scout.docker.com/v/CVE-2023-24536
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-24534
https://scout.docker.com/v/CVE-2023-24534
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2022-41725
https://scout.docker.com/v/CVE-2022-41725
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41724
https://scout.docker.com/v/CVE-2022-41724
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41723
https://scout.docker.com/v/CVE-2022-41723
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41722
https://scout.docker.com/v/CVE-2022-41722
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41720
https://scout.docker.com/v/CVE-2022-41720
Affected range : >=1.19.0-0
: <1.19.4
Fixed version : 1.19.4
✗ HIGH CVE-2022-41716
https://scout.docker.com/v/CVE-2022-41716
Affected range : >=1.19.0-0
: <1.19.3
Fixed version : 1.19.3
✗ HIGH CVE-2022-41715
https://scout.docker.com/v/CVE-2022-41715
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2022-2880
https://scout.docker.com/v/CVE-2022-2880
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2022-2879
https://scout.docker.com/v/CVE-2022-2879
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2023-29400
https://scout.docker.com/v/CVE-2023-29400
Affected range : <1.19.9
Fixed version : 1.19.9
✗ HIGH CVE-2023-24539
https://scout.docker.com/v/CVE-2023-24539
Affected range : <1.19.9
Fixed version : 1.19.9
✗ MEDIUM CVE-2023-29406
https://scout.docker.com/v/CVE-2023-29406
Affected range : <1.19.11
Fixed version : 1.19.11
✗ MEDIUM CVE-2023-39319
https://scout.docker.com/v/CVE-2023-39319
Affected range : <1.20.8
Fixed version : 1.20.8
✗ MEDIUM CVE-2023-39318
https://scout.docker.com/v/CVE-2023-39318
Affected range : <1.20.8
Fixed version : 1.20.8
✗ MEDIUM CVE-2023-45284
https://scout.docker.com/v/CVE-2023-45284
Affected range : <1.20.11
Fixed version : 1.20.11
✗ MEDIUM CVE-2023-39326
https://scout.docker.com/v/CVE-2023-39326
Affected range : <1.20.12
Fixed version : 1.20.12
✗ MEDIUM CVE-2023-29409
https://scout.docker.com/v/CVE-2023-29409
Affected range : <1.19.12
Fixed version : 1.19.12
✗ MEDIUM CVE-2023-24532
https://scout.docker.com/v/CVE-2023-24532
Affected range : <1.19.7
Fixed version : 1.19.7
✗ MEDIUM CVE-2022-41717
https://scout.docker.com/v/CVE-2022-41717
Affected range : >=1.19.0-0
: <1.19.4
Fixed version : 1.19.4
✗ UNSPECIFIED CVE-2024-24785
https://scout.docker.com/v/CVE-2024-24785
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24784
https://scout.docker.com/v/CVE-2024-24784
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24783
https://scout.docker.com/v/CVE-2024-24783
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45290
https://scout.docker.com/v/CVE-2023-45290
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45289
https://scout.docker.com/v/CVE-2023-45289
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45288
https://scout.docker.com/v/CVE-2023-45288
Affected range : <1.21.9
Fixed version : 1.21.9
0C 1H 7M 0L 2? openssl 3.0.8-r4
pkg:apk/alpine/openssl@3.0.8-r4?os_name=alpine&os_version=3.17
✗ HIGH CVE-2023-5363
https://scout.docker.com/v/CVE-2023-5363
Affected range : <3.0.12-r0
Fixed version : 3.0.12-r0
✗ MEDIUM CVE-2023-6129
https://scout.docker.com/v/CVE-2023-6129
Affected range : <3.0.12-r2
Fixed version : 3.0.12-r2
✗ MEDIUM CVE-2023-2650
https://scout.docker.com/v/CVE-2023-2650
Affected range : <3.0.9-r0
Fixed version : 3.0.9-r0
✗ MEDIUM CVE-2024-0727
https://scout.docker.com/v/CVE-2024-0727
Affected range : <3.0.12-r4
Fixed version : 3.0.12-r4
✗ MEDIUM CVE-2023-5678
https://scout.docker.com/v/CVE-2023-5678
Affected range : <3.0.12-r1
Fixed version : 3.0.12-r1
✗ MEDIUM CVE-2023-3817
https://scout.docker.com/v/CVE-2023-3817
Affected range : <3.0.10-r0
Fixed version : 3.0.10-r0
✗ MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <3.0.9-r3
Fixed version : 3.0.9-r3
✗ MEDIUM CVE-2023-2975
https://scout.docker.com/v/CVE-2023-2975
Affected range : <3.0.9-r2
Fixed version : 3.0.9-r2
✗ UNSPECIFIED CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : <3.0.12-r5
Fixed version : 3.0.12-r5
✗ UNSPECIFIED CVE-2023-6237
https://scout.docker.com/v/CVE-2023-6237
Affected range : <3.0.12-r3
Fixed version : 3.0.12-r3
0C 1H 3M 0L golang.org/x/net 0.10.0
pkg:golang/golang.org/x/net@0.10.0
✗ HIGH CVE-2023-39325 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-39325
Affected range : <0.17.0
Fixed version : 0.17.0
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ MEDIUM CVE-2023-3978 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
https://scout.docker.com/v/CVE-2023-3978
Affected range : <0.13.0
Fixed version : 0.13.0
CVSS Score : 6.1
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
✗ MEDIUM CVE-2023-45288 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-45288
Affected range : <0.23.0
Fixed version : 0.23.0
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
✗ MEDIUM CVE-2023-44487 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-44487
Affected range : <0.17.0
Fixed version : 0.17.0
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0C 0H 1M 0L google.golang.org/protobuf 1.30.0
pkg:golang/google.golang.org/protobuf@1.30.0
✗ MEDIUM CVE-2024-24786 [Loop with Unreachable Exit Condition ('Infinite Loop')]
https://scout.docker.com/v/CVE-2024-24786
Affected range : <1.33.0
Fixed version : 1.33.0
49 vulnerabilities found in 4 packages
UNSPECIFIED 8
LOW 0
MEDIUM 19
HIGH 20
CRITICAL 2
What's Next?
View base image update recommendations → docker scout recommendations quay.io/fairwinds/gemini:2.0
Version
Gemini Version 2.0/2.0.1 and Helm Chart Version 2.1.3
Search
[X] I did search for other open and closed issues before opening this.
Code of Conduct
[X] I agree to follow this project's Code of Conduct
Additional context
In reviewing the Dockerfile, I do not imagine this is a change that should require much of any code change - and may be as simple as re-creating the image with new alpine packages. Failing that an OS update should suffice.
What happened?
I am looking to ship gemini into a cluster, but in scanning the image the following CVEs were flagged:
What did you expect to happen?
I would like to see these CVEs resolved, or at least a resolution to the highest severity vulnerabilities that have been flagged.
How can we reproduce this?
Although the list may vary, any image scanning tool with provide a similar list of CVEs. The simplest way being a scout scan using docker:
Version
Gemini Version 2.0/2.0.1 and Helm Chart Version 2.1.3
Search
Code of Conduct
Additional context
In reviewing the Dockerfile, I do not imagine this is a change that should require much of any code change - and may be as simple as re-creating the image with new alpine packages. Failing that an OS update should suffice.