awk vulnerability (CVE-2022-30065)

[eli-darkly]

https://nvd.nist.gov/vuln/detail/CVE-2022-30065 is showing up (in Black Duck scans) as a vulnerability in the version of busybox used by Alpine 3.16.0. I'm somewhat surprised that this hasn't been mentioned yet here, since it's over a month old, so I'm wondering if it is a spurious report.

[tooptoop4]

seeing same thing in aqua scan

[amy-marie-b]

I am also seeing this as a vulnerability

[yishayna]

Same for me. aquasec/trivy:latest detects CVE-2022-30065 with severity HIGH for alpine 3.16.1

[reieRMeister]

Same here with trivy and alpine 3.16.1. Trivy does not report any vulnerability with apline 20220715

[jonasmidstrup]

Apparently, the vulnerability is not present in Alpine Linux version 3.15, as Trivy doesn't complain about this version.

[marcelo-r]

Same for us with Anchore on Azure, this was reported only today, so they probably changed severity. Yesterday was having the same issue as https://github.com/alpinelinux/docker-alpine/issues/261, resolved by upgrading packages.

NAME        INSTALLED   FIXED-IN    VULNERABILITY   SEVERITY 
busybox     1.35.0-r13  1.35.0-r17  CVE-2022-30065  High      
ssl_client  1.35.0-r13  1.35.0-r17  CVE-2022-30065  High      
1 error occurred:
    * discovered vulnerabilities at or above the severity threshold

[sshuklao]

@keithmattix still seeing the same issue in 3.16.1.

The scan results show that 1 ISSUE was found for the image.

Vulnerable Packages Found
=========================

CVE-2022-30065

   Policy Status
   Active

   Summary
   A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

   Vendor Security Notice IDs   Official Notice
   ALPINE-CVE-2022-30065

   Affected Packages   Policy Status   How to Resolve                        Security Notice
   busybox             Active          Upgrade busybox to >= 1.35.0-r17      ALPINE-CVE-2022-30065
   ssl_client          Active          Upgrade ssl_client to >= 1.35.0-r17   ALPINE-CVE-2022-30065

[jeremybramwell]

This seems odd since alpine 3.16.1 is supposed to fix CVE-2022-30065 according to the release notes: https://www.alpinelinux.org/posts/Alpine-3.16.1-released.html

the commit is a bit confusing to read since it has a patch within a diff: https://git.alpinelinux.org/aports/commit/?h=v3.16.1&id=e58f0e341603e9facc1e675722367174b45e0d0c

[kyberorg]

edge and 20220715 tags are shipping version 1.35.0-r18 and have 0 vulnerabilities.

[keithmattix]

@sshuklao 3.16.1 only claims to fix the openssl vuln. The awk vuln is different

[jeremybramwell]

@keithmattix, did you follow the links I posted above?

the 3.16.1 release notes lists both CVEs:

This release includes various security fixes, including:

busybox [CVE-2022-30065](https://security.alpinelinux.org/vuln/CVE-2022-30065)
openssl [CVE-2022-2097](https://security.alpinelinux.org/vuln/CVE-2022-2097)

and this commit very much looks like it is intended to fix the awk issue.

[jeremybramwell]

oh, maybe the problem is that the patch updates the pkgrel to 15 instead of 18 in main/busybox/APKBUILD

-pkgrel=14
+pkgrel=15

Edit: yep, it looks like that was the issue. https://git.alpinelinux.org/aports/commit/?h=3.16-stable&id=19218bdfa3f0798fad9a878789336099e038151f

[dhalperi]

You will note that the Alpine team originated the fix! http://lists.busybox.net/pipermail/busybox/2022-June/089768.html

So basically, they patched Busybox in their build process before their fix was released upstream, and tools should not be relying on busybox version to indicate whether their patch is present.

[eli-darkly]

@dhalperi I apologize if this is a silly question, but: how else are security scanners supposed to know whether a patch is present for something like this? I mean, a vulnerability is reported against Busybox version X, and it's known to be patched in version Y. If Alpine reports that it is still using version X then it seems predictable that the vulnerability will be flagged.

[dhalperi]

@eli-darkly - I agree it's not easy, and I am definitely not an expert in the customization in CVE and automation around it.

In this case, Trivy reports Alpine 3.16.1, which ought to be enough info. If tools are not able to use other signals though, then users can suppress CVEs with a comment, I think.

(Today, I had to suppress 3 incorrect CVEs - one in Netty that applies only to Java 6, and two for whoever decided any Python project with Flask in their website source code was releasing insecure binaries in all languages).

[marcelo-r]

edge and 20220715 tags are shipping version 1.35.0-r18 and have 0 vulnerabilities.

That's also what we did and its working. Checked packages and switched to edge since we only use alpine to run a Go binary. Now we have 0 vulnerabilities reported.

[eli-darkly]

Am I correct that it is not possible to directly update busybox to 1.35.0-r17 on a machine that has Alpine 3.16.1 installed? My first thought was to just do apk add busybox=1.35.0-r17, but I get an error that I take to mean "Alpine 3.16.1 requires the r15 version":

ERROR: unable to select packages:
  busybox-1.35.0-r15:
    breaks: world[busybox=1.35.0-r17]
    satisfies: alpine-baselayout-3.2.0-r22[/bin/sh]

In my case, I don't think using the edge build is an option; I'm building a Docker container that's used by my customers and they expect it to use pinned released versions.

[dhalperi]

@eli-darkly - that is my experience and deployment scenario as well.

[eli-darkly]

Oddly, as of today I'm no longer getting warnings from Trivy about this in Alpine 3.16.1.

[aminvakil]

Oddly, as of today I'm no longer getting warnings from Trivy about this in Alpine 3.16.1.

Yeah, I tested about 24 hours ago and I didn't get a warning either.

[vienleidl]

Oddly, as of today I'm no longer getting warnings from Trivy about this in Alpine 3.16.1.

Yeah, I tested about 24 hours ago and I didn't get a warning either.

Not for me, just checked again with Alpine Linux Release 3.16.1

busybox-1.35.0-r15 description:
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/community: No such file or directory
Size optimized toolbox of many common UNIX utilities

busybox-1.35.0-r15 webpage:
https://busybox.net/

busybox-1.35.0-r15 installed size:
936 KiB

[aminvakil]

$ docker run --rm alpine:3.16.1 apk info -vv | grep '^busybox'
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/community: No such file or directory
busybox-1.35.0-r15 - Size optimized toolbox of many common UNIX utilities

Yeah, as expected alpine 3.16.1 will not be changed to include a new release of busybox.

But trivy does not show a vulnerability anymore.

[vienleidl]

busybox-1.35.0-r15 - Size optimized toolbox of many common UNIX utilities

The same with apline:3.16 & alpine:3.16.0 which have been found by Microsoft Defender for Cloud.

$ docker run --rm alpine:3.16 apk info -vv | grep '^busybox'
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/community: No such file or directory
busybox-1.35.0-r15 - Size optimized toolbox of many common UNIX utilities

$ docker run --rm alpine:3.16.0 apk info -vv | grep '^busybox'
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/community: No such file or directory
busybox-1.35.0-r13 - Size optimized toolbox of many common UNIX utilities

[aminvakil]

busybox-1.35.0-r15 - Size optimized toolbox of many common UNIX utilities

The same with apline:3.16 & alpine:3.16.0 which have been found by Microsoft Defender for Cloud.

@vienleidl Have you read my reply?

[ncopa]

awk vulnerability (CVE-2022-30065) was fixed in 3.16.1

https://alpinelinux.org/posts/Alpine-3.16.1-released.html https://github.com/docker-library/official-images/pull/12808