search

adoptium / containers

Repo containing the dockerfiles and scripts to produce the official eclipse-temurin containers.
https://hub.docker.com/_/eclipse-temurin/
Apache License 2.0
216 stars 93 forks source link

[Bug]: Rebuild Alpine Docker images to get rid of CVE-2023-52425 #501

Closed AB-xdev closed 6 months ago

AB-xdev commented 7 months ago

Please add the exact image (with tag) that you are using

eclipse-temurin:21-alpine

Please add the version of Docker you are running

irrelevant

What happened?

We're waiting since >2 weeks for an update of the alpine docker images, which are currently flagged by our security scanner (trivy) with the following CVE:

  ┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
  │ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
  ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
  │ libexpat │ CVE-2023-52425 │ HIGH     │ fixed  │ 2.5.0-r2          │ 2.6.0-r0      │ expat: parsing large tokens can trigger a denial of service │
  │          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-52425                  │
  └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

The affect library already got updated (libexpat (2.6.0-r0) is installed when running apk add --no-cache fontconfig in alpine:3.19), so the only thing that's missing is a rebuild.

The debian/ubuntu based images got rebuilt a few days ago so the problem is no longer present there. Would it be possible to also rebuild the alpine images?

Relevant log output

No response

karianna commented 7 months ago

@AB-xdev Please submit an issue at DockerHub (they control the base image).

AB-xdev commented 7 months ago

they control the base image

Just FYI, the vulnerability is not inside the base image layers.

Please submit an issue at DockerHub

Could you please tell me where I can submit issues? Do you mean the Docker forum? Or the docker hub feedback issuetracker or the alpine linux image issuetracker?

karianna commented 7 months ago

Hmm, was fontconfig already installed?

AB-xdev commented 7 months ago

Hmm, was fontconfig already installed?

https://github.com/adoptium/containers/blob/c1163d4c36f8b0a3e72bf0bdc2e62028f2efe3ae/21/jre/alpine/Dockerfile#L33

karianna commented 7 months ago

@gdams & @sxa do we have a respin policy in place for updates to the libs in this base image or is it up to DockerHub once we 'hand it over'

trinishanmukha commented 7 months ago

I can see same vulnerability on eclipse-temurin:17-alpine. Do I need to create a separate issue?

karianna commented 7 months ago

I can see same vulnerability on eclipse-temurin:17-alpine. Do I need to create a separate issue?

No we can cover it under here

sxa commented 7 months ago

@gdams & @sxa do we have a respin policy in place for updates to the libs in this base image or is it up to DockerHub once we 'hand it over'

The policy is in https://github.com/adoptium/containers/blob/main/README.md#update-policy but TL;DR we have no defined mechanism to trigger such updates. They have to be done by dockerhub.

sxa commented 7 months ago

I will also note that dockerhub have got this flagged as a high severity vulnerability (CVSS7.5) which is certainly in line with what you're suggesting).

image

Could you please tell me where I can submit issues? Do you mean the Docker forum? Or the docker hub feedback issuetracker or the alpine linux image issuetracker?

The Alpine repo already has a relevant issue (specifically mentioning our image so the only path would be the official-images repo at https://github.com/docker-library/official-images Let me see if I can word something appropriately.
This is a similar issue from a couple of years ago

sxa commented 7 months ago

Thanks for bringing this to our attention. I've raised https://github.com/docker-library/official-images/issues/16289 including quite a few references to related issues that will, if another else, help to clarify what we can to for these in the future.

cmotsn commented 6 months ago

Hi, I've seen the docker-library issue but it didn't seem to be going anywhere as of 8 days ago, is there hope for an update soon?

bpowers1215 commented 6 months ago

Hi @sxa Really appreciate your follow-through on this issue. I've been watching the thread in docker-library as well - wondering if there is any path to resolution yet? We are eagerly awaiting the security updates.

sxa commented 6 months ago

Hi @sxa Really appreciate your follow-through on this issue. I've been watching the thread in docker-library as well - wondering if there is any path to resolution yet? We are eagerly awaiting the security updates.

We had a discussion at the PMC call this week and we're going to attempt to force an update to trigger a rebuild as that seems to be our only option at present. It's not ideal but will hopefully let us resolve the issue before the next update in late April.

The PR is here: https://github.com/docker-library/official-images/pull/16410

gdams commented 6 months ago

This is now complete