search

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!
MIT License
1.04k stars 261 forks source link

The vulnerability CVE-2023-1255 for alpine 3.17 #321

Closed GaoJianAllen closed 1 year ago

GaoJianAllen commented 1 year ago

We use the alpine:3.17.3 as the base image. In last week, amzon ECR reports a vulnerability CVE-2023-1255 related openssl.https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-5438697

I added 'apk add openssl' in my dockerfile, but it doesn't resolve the issue.

image
madnuttah commented 1 year ago

This will be fixed by OpenSSL in the next release: OpenSSL Security Advisory

"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository."

Since there's already a patch available, you could compile OpenSSL by yourself or use OpenSSL versions 1.1.1 or 1.0.2 which are not vulnerable if you are affected by the issue.

bradbeck commented 1 year ago

Grype is suggesting that the latest release of the libraries would resolve the issue:

$ grype alpine     
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [16 packages]
 ✔ Scanning image...       [2 vulnerabilities]
   ├── 0 critical, 0 high, 2 medium, 0 low, 0 negligible
   └── 2 fixed

NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY 
libcrypto3  3.0.8-r3   3.0.8-r4  apk   CVE-2023-1255  Medium    
libssl3     3.0.8-r3   3.0.8-r4  apk   CVE-2023-1255  Medium
GaoJianAllen commented 1 year ago

I saw alpine 3.18 released. Does it fix the issue? AWS ECR said it can't support now. Maybe wait some days.

image

bradbeck commented 1 year ago

alpine:3.18 appears to have a different CVE:

grype alpine:3.18
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [16 packages]
 ✔ Scanning image...       [2 vulnerabilities]
   ├── 0 critical, 0 high, 2 medium, 0 low, 0 negligible
   └── 0 fixed

NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY 
libcrypto3  3.1.0-r4             apk   CVE-2023-0466  Medium    
libssl3     3.1.0-r4             apk   CVE-2023-0466  Medium
GaoJianAllen commented 1 year ago

I use trivy.

➜  ~ trivy image alpine:3.18
2023-05-11T09:49:36.170+0800    INFO    Need to update DB
2023-05-11T09:49:36.170+0800    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-05-11T09:49:36.170+0800    INFO    Downloading DB...
36.75 MiB / 36.75 MiB [--------------------------------------------------] 100.00% 6.63 MiB p/s 5.7s
2023-05-11T09:49:46.484+0800    INFO    Vulnerability scanning is enabled
2023-05-11T09:49:46.484+0800    INFO    Secret scanning is enabled
2023-05-11T09:49:46.484+0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T09:49:46.484+0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T09:49:54.783+0800    INFO    Detected OS: alpine
2023-05-11T09:49:54.784+0800    INFO    This OS version is not on the EOL list: alpine 3.18
2023-05-11T09:49:54.784+0800    INFO    Detecting Alpine vulnerabilities...
2023-05-11T09:49:54.785+0800    INFO    Number of language-specific files: 0

alpine:3.18 (alpine 3.18.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
➜  ~ trivy image alpine:3.17
2023-05-11T09:50:02.025+0800    INFO    Vulnerability scanning is enabled
2023-05-11T09:50:02.025+0800    INFO    Secret scanning is enabled
2023-05-11T09:50:02.025+0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T09:50:02.026+0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T09:50:09.650+0800    INFO    Detected OS: alpine
2023-05-11T09:50:09.650+0800    INFO    Detecting Alpine vulnerabilities...
2023-05-11T09:50:09.652+0800    INFO    Number of language-specific files: 0

alpine:3.17 (alpine 3.17.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-1255 │ MEDIUM   │ 3.0.8-r3          │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
├────────────┤               │          │                   │               │                                                            │
│ libssl3    │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
GaoJianAllen commented 1 year ago

The alpine3.18 fix the vul.