Closed sanketmagar2001 closed 4 months ago
^^ The same goes for alpine-3.19.
I am running into this issue as well with Twistlock flagging OpenSSL on Alpine with CVE-2019-0190.
Looking at the CVE, it looks like it applies to Apache HTTP Server version 2.4.37 with any version of OpenSSL 1.1.1 or later.
Would that make it a false positive to be flagging any version of OpenSSL, especially if Apache HTTP server isn't even installed?
I too have the same problem with Prisma Cloud reporting the vulnerability and confirm that it occurs with the base Alpine Docker image without any changes to the Dockerfile (so no Apache installed). I wrote an email to Alpine support a few weeks ago to report this issue, but didn't have any feedback.
I agree with the others that this sounds like a false positive that needs to be fixed somehow.
Side note: I get the same CVE detected in our alpine image with Prisma Cloud. However, Trivy (another image scanning tool) does not detect this.
Hi is this related with the vulnerability flagged here? https://hub.docker.com/layers/library/golang/1.20-alpine3.19/images/sha256-c479199e85119eb4a17ca80ec08824b97d0420dfb31a03a0c496c85a296f9341?context=explore
Is there any fix that I've not seen?
Hi is this related with the vulnerability flagged here? https://hub.docker.com/layers/library/golang/1.20-alpine3.19/images/sha256-c479199e85119eb4a17ca80ec08824b97d0420dfb31a03a0c496c85a296f9341?context=explore
Is there any fix that I've not seen?
Not really, it's a completely different CVE.
Then shall we open a new issue?
Do we have a fix for this?
Today I checked back the Prisma Cloud report, and it seems that the false positive is resolved and does not appear anymore :)
Today I checked back the Prisma Cloud report, and it seems that the false positive is resolved and does not appear anymore :)
That's interesting. For us it still shows. Is your Prisma Cloud instance on premises or are you perhaps using a SaaS solution? We are on prem.
I don't know for sure since it is in the client's infrastructure: the address is an internal one, but they could use a proxy :(
Alpine docker image does not include mod_ssl so there is nothing for us to fix.
Please use a better scanner.
CVE-2019-0190 : https://nvd.nist.gov/vuln/detail/CVE-2019-0190