[🐛 Bug]: Susceptibility to PwnKit

[0x64746b]

What happened?

We are running Chrome nodes (3.141.59), which contain a pkexec version that is susceptible to the PwnKit attack vector:

default@selenium-grid-chrome-node:/$ ls -l /usr/bin/pkexec
-rwsr-xr-x. 1 root root 31032 May 26  2021 /usr/bin/pkexec
default@selenium-grid-chrome-node:/$ dpkg-query --list | grep policykit
ii  policykit-1                          0.105-26ubuntu1.1                 amd64        framework for managing administrative policies and privileges
default@selenium-grid-chrome-node:/$

The patched version is 0.105-26ubuntu1.2: https://ubuntu.com/security/CVE-2021-4034

Is there any chance you could release a Docker image with the upgraded package?

Thanks a lot for your work! D.

Command used to start Selenium Grid with Docker

helm upgrade ...

Relevant log output

default@selenium-grid-chrome-node:/$ ls -l /usr/bin/pkexec
-rwsr-xr-x. 1 root root 31032 May 26  2021 /usr/bin/pkexec
default@selenium-grid-chrome-node:/$ dpkg-query --list | grep policykit
ii  policykit-1                          0.105-26ubuntu1.1                 amd64        framework for managing administrative policies and privileges
default@selenium-grid-chrome-node:/$

Operating System

OpenShift 4

Docker Selenium version (tag)

selenium/node-chrome-debug:3.141.59@sha256:4205fd019f4c290e027dd100cc99c609614a952e41370c28d56600b32855e1f5

[diemol]

We are not releasing any more Grid 3.x images, please check the 4.x ones and let us know if those work for you.

[0x64746b]

Unfortunately, one of our projects still uses Nightwatch JS v1 due to a blocking dependency, which is why we cannot upgrade to Selenium Grid v4 yet.

[diemol]

I understand. However, we won't be releasing Grid 3 anymore. Nevertheless, if you want to, you can build your own images with the upgraded package based on the Selenium Grid 3 branch.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.