New medium priority openssl vulnerability: CVE-2022-2097

[post-svejk]

There is a new vulnerability being reported by azure/container-scan and trivy on our builds: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097 Also flagged by Snyk at: https://snyk.io/test/docker/alpine:3.16.0

I cannot find any workarounds. Looks like the alpine package for openssl needs to be updated with fixed version of openssl first.

[MarekKosinski]

Is there any update on this issue?

[kyberorg]

@MarekKosinski updating affected packages in Dockerfile may help

FROM alpine
RUN apk add --update-cache \
        libcrypto1.1=1.1.1q-r0 \
        libssl1.1=1.1.1q-r0 && \
    rm -rf /var/cache/apk/*

[erikgb]

FWIW, there is a new "edge" tag (20220715) available without this vuln. I tried the package upgrade suggested in https://github.com/alpinelinux/docker-alpine/issues/261#issuecomment-1186281774, but couldn't make it work - because of package conflicts...

[kyberorg]

@erikgb actually switching from https to http repositories helps somehow

RUN sed -i 's,https,http,g' /etc/apk/repositories && \
    apk add --update-cache \
        libcrypto1.1=1.1.1q-r0 \
        libssl1.1=1.1.1q-r0 && \
    rm -rf /var/cache/apk/*

[erikgb]

@kyberorg But doesn't that change make you vulnerable for MITM attacks, at least theoretically? Thanks for the info anyway!

[famod]

FWIW, this might have been "medium" at some point but is now being reported as "high".

[SnazzyBootMan]

This does work but it is using the edge repository:

apk --no-cache add libcrypto1.1=1.1.1q-r0 libssl1.1=1.1.1q-r0 --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community

[syukronarie]

@MarekKosinski updating affected packages in Dockerfile may help

FROM alpine
RUN apk add --update-cache \
        libcrypto1.1=1.1.1q-r0 \
        libssl1.1=1.1.1q-r0 && \
    rm -rf /var/cache/apk/*

Hi @MarekKosinski, Your suggestion fix my issue. Thanks.

[keithmattix]

The OS patch just dropped; the new image should be imminent

[syukronarie]

The OS patch just dropped; the new image should be imminent

yes, the image should provide this latest version..

[keithmattix]

3.16.1 is available on DockerHub

[sshuklao]

@keithmattix still seeing the same issue in 3.16.1.

The scan results show that 1 ISSUE was found for the image.

Vulnerable Packages Found
=========================

CVE-2022-30065

   Policy Status
   Active

   Summary
   A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

   Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2022-30065

   Affected Packages   Policy Status   How to Resolve                        Security Notice
   busybox             Active          Upgrade busybox to >= 1.35.0-r17      ALPINE-CVE-2022-30065
   ssl_client          Active          Upgrade ssl_client to >= 1.35.0-r17   ALPINE-CVE-2022-30065

[kyberorg]

@sshuklao I can confirm. Trivy gives same results.
Edge and 20220715 are shipping version 1.35.0-r18 and have 0 vulnerabilities.

[keithmattix]

@sshuklao That's a separate vuln. Compare the 3.16.0 snyk report with the 3.16.1 snyk report

[eli-darkly]

@sshuklao @keithmattix The one about awk, CVE-2022-30065, has an open issue here: https://github.com/alpinelinux/docker-alpine/issues/264

But it is still true that the 3.16.1 release notes are claiming to fix that vulnerability, and it doesn't seem to be fixed.

[keithmattix]

Ah, yep; I didn't check the CVE link. Looks like 3.16.1 is still affected