Closed GaoJianAllen closed 1 year ago
This will be fixed by OpenSSL in the next release: OpenSSL Security Advisory
"Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit bc2f61ad (for 3.1) and
commit 02ac9c94 (for 3.0) in the OpenSSL git repository."
Since there's already a patch available, you could compile OpenSSL by yourself or use OpenSSL versions 1.1.1 or 1.0.2 which are not vulnerable if you are affected by the issue.
Grype is suggesting that the latest release of the libraries would resolve the issue:
$ grype alpine
✔ Vulnerability DB [no update available]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
✔ Scanning image... [2 vulnerabilities]
├── 0 critical, 0 high, 2 medium, 0 low, 0 negligible
└── 2 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
I saw alpine 3.18 released. Does it fix the issue? AWS ECR said it can't support now. Maybe wait some days.
alpine:3.18
appears to have a different CVE:
grype alpine:3.18
✔ Vulnerability DB [no update available]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
✔ Scanning image... [2 vulnerabilities]
├── 0 critical, 0 high, 2 medium, 0 low, 0 negligible
└── 0 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.0-r4 apk CVE-2023-0466 Medium
libssl3 3.1.0-r4 apk CVE-2023-0466 Medium
I use trivy.
➜ ~ trivy image alpine:3.18
2023-05-11T09:49:36.170+0800 INFO Need to update DB
2023-05-11T09:49:36.170+0800 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-05-11T09:49:36.170+0800 INFO Downloading DB...
36.75 MiB / 36.75 MiB [--------------------------------------------------] 100.00% 6.63 MiB p/s 5.7s
2023-05-11T09:49:46.484+0800 INFO Vulnerability scanning is enabled
2023-05-11T09:49:46.484+0800 INFO Secret scanning is enabled
2023-05-11T09:49:46.484+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T09:49:46.484+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T09:49:54.783+0800 INFO Detected OS: alpine
2023-05-11T09:49:54.784+0800 INFO This OS version is not on the EOL list: alpine 3.18
2023-05-11T09:49:54.784+0800 INFO Detecting Alpine vulnerabilities...
2023-05-11T09:49:54.785+0800 INFO Number of language-specific files: 0
alpine:3.18 (alpine 3.18.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
➜ ~ trivy image alpine:3.17
2023-05-11T09:50:02.025+0800 INFO Vulnerability scanning is enabled
2023-05-11T09:50:02.025+0800 INFO Secret scanning is enabled
2023-05-11T09:50:02.025+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T09:50:02.026+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T09:50:09.650+0800 INFO Detected OS: alpine
2023-05-11T09:50:09.650+0800 INFO Detecting Alpine vulnerabilities...
2023-05-11T09:50:09.652+0800 INFO Number of language-specific files: 0
alpine:3.17 (alpine 3.17.3)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-1255 │ MEDIUM │ 3.0.8-r3 │ 3.0.8-r4 │ Input buffer over-read in AES-XTS implementation on 64 bit │
│ │ │ │ │ │ ARM │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-1255 │
├────────────┤ │ │ │ │ │
│ libssl3 │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
The alpine3.18 fix the vul.
We use the alpine:3.17.3 as the base image. In last week, amzon ECR reports a vulnerability CVE-2023-1255 related openssl.https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-5438697
I added 'apk add openssl' in my dockerfile, but it doesn't resolve the issue.