search

actions / runner

The Runner for GitHub Actions :rocket:
https://github.com/features/actions
MIT License
4.93k stars 970 forks source link

Docker Runner v2.300.0 has 1 critical and 6 high severity CVEs #2327

Open andersthorbeck opened 1 year ago

andersthorbeck commented 1 year ago

Describe the bug The GitHub Runner versions 2.299.1 and 2.300.0 (most recent versions at the time of writing) have 1 critical severity and 6 high severity CVEs found by Trivy security vulnerability scan.

To Reproduce Steps to reproduce the behavior:

  1. In a GitHub repository, under a directory named github-runner, have the following Dockerfile:

      FROM ubuntu:22.04

  ARG GITHUB_RUNNER_VERSION="2.300.0"

  ENV GITHUB_OWNER "myorganization"
  ENV RUNNER_WORKDIR "_work"
  ENV TZ="Europe/London"

  ARG DEBIAN_FRONTEND="noninteractive"

  RUN apt-get update \
    && apt-get install -y \
    ca-certificates \
    curl \
    apt-transport-https \
    lsb-release \
    gnupg \
    && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
    && AZ_REPO=$(lsb_release -cs) \
    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
    && apt-get update \
    && apt-get install -y \
    azure-cli \
    iputils-ping \
    sudo \
    git \
    unzip \
    jq \
    gh

  # Required by "hashicorp/setup-terraform"
  RUN curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash - \
    && sudo apt-get install -y nodejs
  RUN apt-get clean \
    && rm -rf /var/lib/apt/lists/*

  RUN adduser --uid 1000 --gecos "GitHub Runner" --disabled-password github-runner && \
    echo 'github-runner ALL=(ALL) NOPASSWD:ALL' | sudo EDITOR='tee -a' visudo
  USER 1000

  WORKDIR /home/github-runner

  # Install everything needed for the GitHub Action self-hosted-runner
  RUN curl -Ls https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz | tar xz
  RUN sudo ./bin/installdependencies.sh

  COPY ./scripts/*.sh /home/github-runner/scripts/
  RUN sudo chmod +x /home/github-runner/scripts/*.sh
  COPY ./entrypoint.sh /home/github-runner/entrypoint.sh
  RUN sudo chmod +x /home/github-runner/entrypoint.sh

  ENV PATH="${PATH}:/home/github-runner/scripts"

  ENTRYPOINT ["/home/github-runner/entrypoint.sh"]

    The content of entrypoint.sh omitted for simplicity.

  2. In the same repository, define the following GitHub Actions workflow (to be run on a GitHub-hosted runner, but to generate and vulnerability scan the Docker image for a self-hosted runner):

      name: github-runner-pull-request

  on:
    workflow_dispatch:
    pull_request:
      branches:
        - master
      paths:
        - "github-runner/**"

  jobs:
    build-and-scan:
      runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v3
        - name: Docker build
          run: docker build github-runner -t github-runner-pull-request:${{ github.sha }}
        - name: Scan image with Trivy
          uses: aquasecurity/trivy-action@master
          with:
            image-ref: github-runner-pull-request:${{ github.sha }}
            format: "table"
            exit-code: "1"
            ignore-unfixed: true # Ignore unfixable
            vuln-type: "os,library"
            severity: "CRITICAL,HIGH"
  3. Dispatch this workflow manually (or raise a pull request triggering it).
  4. Read the vulnerability scan results.

Expected behavior

Expected zero HIGH or CRITICAL severity known, mitigatable vulnerabilities.

Runner Version and Platform

The GitHub-hosted runner generating the docker image and running the trivy scan:

Current runner version: '2.299.1'
Operating System
  Ubuntu
  22.04.1
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20221212.1
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20221212.1/images/linux/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20221212.1
Runner Image Provisioner
  2.0.91.1

The (to be self-hosted) runner Docker image being generated, which has vulnerabilities:

FROM ubuntu:22.04

ARG GITHUB_RUNNER_VERSION="2.300.0"

What's not working?

The Trivy vulnerability scan seems to indicate that the GitHub Runner code being pulled in via the Dockerfile is vulnerable to the following known CVEs:

Job Log Output

The full run log: trivy_run_redacted.log.

See in particular:

2022-12-19T09:03:05.5617685Z ##[group]Run aquasecurity/trivy-action@master
2022-12-19T09:03:05.5617930Z with:
2022-12-19T09:03:05.5618248Z   image-ref: github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.5618574Z   format: table
2022-12-19T09:03:05.5618759Z   exit-code: 1
2022-12-19T09:03:05.5618969Z   ignore-unfixed: true
2022-12-19T09:03:05.5619191Z   vuln-type: os,library
2022-12-19T09:03:05.5619404Z   severity: CRITICAL,HIGH
2022-12-19T09:03:05.5619625Z   scan-type: image
2022-12-19T09:03:05.5619827Z   scan-ref: .
2022-12-19T09:03:05.5620022Z   list-all-pkgs: false
2022-12-19T09:03:05.5620238Z ##[endgroup]
2022-12-19T09:03:05.5917896Z ##[command]/usr/bin/docker run --name f1f6e4627386490589e9ad5db0e66d6f_a8c603 --label 290506 --workdir /github/workspace --rm -e "INPUT_IMAGE-REF" -e "INPUT_FORMAT" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_SCAN-TYPE" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/myrepository/myrepository":"/github/workspace" 290506:f1f6e4627386490589e9ad5db0e66d6f  "-a image" "-b table" "-c " "-d 1" "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h " "-i github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66" "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v "
2022-12-19T09:03:05.8779410Z Running trivy with options: trivy image  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH  github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66
2022-12-19T09:03:05.8779960Z Global options:  
2022-12-19T09:03:06.4183040Z 2022-12-19T09:03:06.417Z   INFO   Need to update DB
2022-12-19T09:03:06.4183586Z 2022-12-19T09:03:06.417Z   INFO   DB Repository: ghcr.io/aquasecurity/trivy-db
2022-12-19T09:03:06.4184045Z 2022-12-19T09:03:06.417Z   INFO   Downloading DB...
2022-12-19T09:03:09.2010984Z 24.59 MiB / 35.67 MiB [------------------------------------------>__________________] 68.95% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 18.47 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [---------------------------------------------->] 100.00% 17.27 MiB p/s ETA 0s35.67 MiB / 35.67 MiB [-------------------------------------------------] 100.00% 27.11 MiB p/s 1.5s2022-12-19T09:03:09.195Z   INFO   Vulnerability scanning is enabled
2022-12-19T09:03:09.2012904Z 2022-12-19T09:03:09.195Z   INFO   Secret scanning is enabled
2022-12-19T09:03:09.2013636Z 2022-12-19T09:03:09.195Z   INFO   If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-19T09:03:09.2014709Z 2022-12-19T09:03:09.195Z   INFO   Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2022-12-19T09:07:26.4147234Z 2022-12-19T09:07:26.414Z   INFO   Detected OS: ubuntu
2022-12-19T09:07:26.4147873Z 2022-12-19T09:07:26.414Z   INFO   Detecting Ubuntu vulnerabilities...
2022-12-19T09:07:26.4247603Z 2022-12-19T09:07:26.424Z   INFO   Number of language-specific files: 8
2022-12-19T09:07:26.4248646Z 2022-12-19T09:07:26.424Z   INFO   Detecting dotnet-core vulnerabilities...
2022-12-19T09:07:26.4332483Z 2022-12-19T09:07:26.432Z   INFO   Detecting node-pkg vulnerabilities...
2022-12-19T09:07:26.7336446Z 2022-12-19T09:07:26.732Z   INFO   Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
2022-12-19T09:07:26.7336810Z 
2022-12-19T09:07:26.7338058Z github-runner-pull-request:8cc4256c2cfbdef03251e6e4d24ad71d50b82b66 (ubuntu 22.04)
2022-12-19T09:07:26.7407751Z ==================================================================================
2022-12-19T09:07:26.7408044Z Total: 0 (HIGH: 0, CRITICAL: 0)
2022-12-19T09:07:26.7408182Z 
2022-12-19T09:07:26.7415817Z 
2022-12-19T09:07:26.7416111Z Node.js (node-pkg)
2022-12-19T09:07:26.7416314Z ==================
2022-12-19T09:07:26.7416535Z Total: 4 (HIGH: 3, CRITICAL: 1)
2022-12-19T09:07:26.7417527Z 
2022-12-19T09:07:26.7424863Z ┌────────────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7425575Z │          Library           │ Vulnerability  │ Severity │ Installed Version │                      Fixed Version                      │                          Title                           │
2022-12-19T09:07:26.7426313Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7426993Z │ json-schema (package.json) │ CVE-2021-3918  │ CRITICAL │ 0.2.3             │ 0.4.0                                                   │ nodejs-json-schema: Prototype pollution vulnerability    │
2022-12-19T09:07:26.7428920Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2021-3918                │
2022-12-19T09:07:26.7430059Z ├────────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7430966Z │ minimatch (package.json)   │ CVE-2022-3517  │ HIGH     │ 3.0.4             │ 3.0.5                                                   │ nodejs-minimatch: ReDoS via the braceExpand function     │
2022-12-19T09:07:26.7439476Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-3517                │
2022-12-19T09:07:26.7440339Z ├────────────────────────────┼────────────────┤          ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7441424Z │ npm (package.json)         │ CVE-2022-29244 │          │ 8.1.0             │ 8.11.0                                                  │ nodejs: npm pack ignores root-level .gitignore and       │
2022-12-19T09:07:26.7442305Z │                            │                │          │                   │                                                         │ .npmignore file exclusion directives when...             │
2022-12-19T09:07:26.7443012Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-29244               │
2022-12-19T09:07:26.7443840Z ├────────────────────────────┼────────────────┤          ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7472731Z │ qs (package.json)          │ CVE-2022-24999 │          │ 6.5.2             │ 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, │ express: "qs" prototype poisoning causes the hang of the │
2022-12-19T09:07:26.7473477Z │                            │                │          │                   │ 6.10.3                                                  │ node process                                             │
2022-12-19T09:07:26.7474060Z │                            │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-24999               │
2022-12-19T09:07:26.7474788Z └────────────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7475016Z 
2022-12-19T09:07:26.7475247Z home/github-runner/bin/Runner.Common.deps.json (dotnet-core)
2022-12-19T09:07:26.7475560Z ============================================================
2022-12-19T09:07:26.7475798Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7475941Z 
2022-12-19T09:07:26.7476511Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7477063Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7477710Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7478280Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7478821Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7479320Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7480037Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7480594Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7481131Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7481618Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7482173Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7482698Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7483233Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7483722Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7484317Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7484523Z 
2022-12-19T09:07:26.7484759Z home/github-runner/bin/Runner.Listener.deps.json (dotnet-core)
2022-12-19T09:07:26.7485063Z ==============================================================
2022-12-19T09:07:26.7485284Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7485426Z 
2022-12-19T09:07:26.7485837Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7486456Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7487101Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7487648Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7488192Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7488698Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7489280Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7489917Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7490433Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7490930Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7491481Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7492001Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7492508Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7493002Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7493611Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7493813Z 
2022-12-19T09:07:26.7494058Z home/github-runner/bin/Runner.PluginHost.deps.json (dotnet-core)
2022-12-19T09:07:26.7494357Z ================================================================
2022-12-19T09:07:26.7494588Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7494739Z 
2022-12-19T09:07:26.7495146Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7495748Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7496434Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7496992Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7497532Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7498045Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7498619Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7499204Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7499737Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7500238Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7500771Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7501289Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7501800Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7502365Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7502970Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7503174Z 
2022-12-19T09:07:26.7503413Z home/github-runner/bin/Runner.Plugins.deps.json (dotnet-core)
2022-12-19T09:07:26.7503720Z =============================================================
2022-12-19T09:07:26.7503953Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7504096Z 
2022-12-19T09:07:26.7504494Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7505031Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7505749Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7506309Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7506836Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7507339Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7507927Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7508477Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7509063Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7509544Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7510094Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7510610Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7512604Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7513226Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7513859Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7514107Z 
2022-12-19T09:07:26.7514331Z home/github-runner/bin/Runner.Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7514624Z =========================================================
2022-12-19T09:07:26.7514842Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7514982Z 
2022-12-19T09:07:26.7515395Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7515935Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7516588Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7517216Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7517750Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7518261Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7518849Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7519401Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7519931Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7520439Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7520986Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7521503Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7521991Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7522478Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7523212Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7523422Z 
2022-12-19T09:07:26.7523657Z home/github-runner/bin/Runner.Worker.deps.json (dotnet-core)
2022-12-19T09:07:26.7523945Z ============================================================
2022-12-19T09:07:26.7524177Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7524319Z 
2022-12-19T09:07:26.7524730Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7525264Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7525889Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7526481Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7527022Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7527530Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7528099Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7528650Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7529184Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7529773Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7530316Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7530831Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7531335Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7531821Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7532417Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.7532699Z 
2022-12-19T09:07:26.7532906Z home/github-runner/bin/Sdk.deps.json (dotnet-core)
2022-12-19T09:07:26.7533178Z ==================================================
2022-12-19T09:07:26.7533405Z Total: 3 (HIGH: 3, CRITICAL: 0)
2022-12-19T09:07:26.7533545Z 
2022-12-19T09:07:26.7533940Z ┌────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
2022-12-19T09:07:26.7534476Z │      Library       │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                            Title                             │
2022-12-19T09:07:26.7535112Z ├────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7535668Z │ System.Net.Http    │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
2022-12-19T09:07:26.7536224Z │                    │               │          │                   │               │ information exposed in a redirect...                         │
2022-12-19T09:07:26.7536734Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
2022-12-19T09:07:26.7537319Z ├────────────────────┼───────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7537866Z │ System.Private.Uri │ CVE-2019-0980 │          │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
2022-12-19T09:07:26.7538375Z │                    │               │          │                   │               │ Core Denial of Service...                                    │
2022-12-19T09:07:26.7538926Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
2022-12-19T09:07:26.7539490Z │                    ├───────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
2022-12-19T09:07:26.7540009Z │                    │ CVE-2019-0981 │          │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
2022-12-19T09:07:26.7540518Z │                    │               │          │                   │               │ Denial of Service                                            │
2022-12-19T09:07:26.7540990Z │                    │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
2022-12-19T09:07:26.7541600Z └────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-12-19T09:07:26.9022909Z Post job cleanup.

Suggested solution

Implement automated vulnerability scans of your own GitHub Runner code, and ensure any CRITICAL or HIGH severity CVEs which can be mitigated are mitigated before a new version is released.

andersthorbeck commented 1 year ago

Somewhat related issues, also mentioning CVEs in the runner: https://github.com/actions/runner/issues/2145, https://github.com/actions/runner/issues/1869, https://github.com/actions/runner/issues/1886.

andersthorbeck commented 1 year ago

Almost all of these vulnerabilities (except CVE-2022-29244) are still present in new runner version 2.301.1.

matsest commented 1 year ago

Hi @TingluoHuang is this being addressed? Fixing the CVE's should be fixed regardless of the suggested solutions..

Is there an intent to implement something like the suggested solution here? Should not be very hard to add to the repository. Additionally - is this something you want contributions for, or work out internally?

andersthorbeck commented 1 year ago

In the most recent version, 2.302.1, the following vulnerabilities were introduced:

None of the previous CVEs were mitigated.

mario-campos commented 1 year ago

It looks like most, if not all, of the NPM vulnerabilities are not an issue. Either they were false-positives or they've been fixed, because I don't see any reference to http-cache-semantics, json-schema, npm, or qs in either package.json or package-lock.json file.

And, while minimatch is in the lock file, it's not subject to https://github.com/advisories/GHSA-f8q6-p94x-37v3 because it does not meet the version-range criteria (v3.1.2 > v3.0.5).

So, unless I missed something, I think it's safe to ignore those JS CVEs.

andersthorbeck commented 1 year ago

@mario-campos Even if they are false positives though, every GitHub consumer running their own self-hosted GitHub runners will run into these same issues. Even the most recent version 2.309.0 has 4 CVEs, all in .NET: the same 3 as originally reported here 9 months ago, and additionally CVE-2019-0820 (HIGH severity, from dotnet-core).

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ fixed  │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication      │
│                                │               │          │        │                   │               │ information exposed in a redirect...                         │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                    │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Private.Uri             │ CVE-2019-0980 │          │        │                   │ 4.3.2         │ dotnet: infinite loop in Uri.TryCreate leading to ASP.Net    │
│                                │               │          │        │                   │               │ Core Denial of Service...                                    │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0980                    │
│                                ├───────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2019-0981 │          │        │                   │               │ dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core │
│                                │               │          │        │                   │               │ Denial of Service                                            │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0981                    │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │        │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced    │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                    │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

All of these CVEs seem mitigable simply by bumping version numbers. Doing so would absolve all GitHub consumers attempting to run self-hosted runners from investigating these same CVEs, which aggregated across all of us is currently a huge and unproductive time drain.

mmclane commented 4 months ago

I can't believe this is still an issue

casey-robertson-paypal commented 4 weeks ago

Still an issue - it gets tiresome seeing these pop up in vuln scanning