Busybox 1.34.1-r4 has Vulnerability CVE-2022-28391

[dao1202]

Hello!

Hope this is the place to report security warnings

Blackduck reports security warning about the busybox and ssl_client libraries in the alpine image.

We currently use the following from docker.hub eclipse-temurin:17.0.3_7-jre-alpine

And blackduck finds the following:

github.com: busybox -> 1.34.1

• CVE-2022-28391 (BDSA-2022-0883) Description BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.
• BDSA-2022-1386 Description BusyBox is vulnerable to denial-of-service (DoS) due to a use-after-free (UAF) issue when processing awk text patterns in the function copyvar() within the file editors/awk.c. An attacker could exploit this vulnerability by supplying a system with a maliciously crafted file.

Kind Regards, Sebastian

[dao1202]

Hi @ncopa , @CosmicToast and @sourcecode-glitch any news on that?

Greetings Sebastian

[sourcecode-glitch]

@dao1202 please don't ping random contributors, thanks! (I have no idea about this vulnerability, all I ever did in this repo was changing the docker run command to work without a TTY)

[sourcecode-glitch]

as a side-not (and potential workaround): alpine 3.16 ships with busybox v1.35.0, so you may be able to build a custom eclipse-temurin docker container based on a newer version than the one used by the official image (which is based on alpine 3.15)

[nishant-yt]

Is this Vulnerability has been fixed in alpine 3.16 ?

[rajivbandi]

This vulnerability is present in alpine 3.16.2 as well. What are the plans to fix this Critical vulnerability ?

[addisonautomates]

This is still present on 3.17.0 along with a new vuln CVE-2022-30065 for the same Busybox package. Any plans to remove the dependency of busybox? Otherwise, we're talking about having to completely abandon alpine as our golden image container of preference at our organization