According to SUSE Advisory CVE-2022-1941
Patch for this CVE is applied from version python3-protobuf >= 3.9.2-150200.4.19.2
https://www.suse.com/security/cve/CVE-2022-1941.html
SUSE Linux Enterprise Server 15 SP5
libprotobuf-lite20 >= 3.9.2-150200.4.19.2
libprotobuf20 >= 3.9.2-150200.4.19.2
libprotoc20 >= 3.9.2-150200.4.19.2
protobuf-devel >= 3.9.2-150200.4.19.2
python3-protobuf >= 3.9.2-150200.4.19.2
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libprotobuf-lite20-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15 SP5 GA libprotoc20-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15 SP5 GA protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA python3-protobuf-3.9.2-150200.4.19.2
SUSE-SLE-Module-Basesystem-15-SP5-2023-2783
SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2783
Installed version in the container: python3-protobuf-3.9.2-150200.4.21.1.x86_64
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
protobuf 3.9.2 3.18.3 python GHSA-8gq9-2x98-w8hf High
protobuf 3.9.2 3.15.0 python GHSA-77rm-9x9h-xj3g High
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened: Scan on image that has python3-protobuf-3.9.2-150200.4.21.1.x86_64 installed. It generates high vulnerability:
$ grype --distro sles15.5 suse15.5_python3-protobuf:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY protobuf 3.9.2 3.18.3 python GHSA-8gq9-2x98-w8hf High protobuf 3.9.2 3.15.0 python GHSA-77rm-9x9h-xj3g High
Json format:
"vulnerability": { "id": "GHSA-8gq9-2x98-w8hf", "dataSource": "https://github.com/advisories/GHSA-8gq9-2x98-w8hf", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-8gq9-2x98-w8hf" ], "description": "protobuf-cpp and protobuf-python have potential Denial of Service issue", : : "id": "CVE-2022-1941", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1941", "namespace": "nvd:cpe", "severity": "High",
: : "artifact": { "id": "416f3df4bc2e856a", "name": "protobuf", "version": "3.9.2", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/protobuf-3.9.2-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },
What you expected to happen:
According to SUSE Advisory CVE-2022-1941 Patch for this CVE is applied from version python3-protobuf >= 3.9.2-150200.4.19.2
https://www.suse.com/security/cve/CVE-2022-1941.html SUSE Linux Enterprise Server 15 SP5 libprotobuf-lite20 >= 3.9.2-150200.4.19.2 libprotobuf20 >= 3.9.2-150200.4.19.2 libprotoc20 >= 3.9.2-150200.4.19.2 protobuf-devel >= 3.9.2-150200.4.19.2 python3-protobuf >= 3.9.2-150200.4.19.2 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libprotobuf-lite20-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Development Tools 15 SP5 GA libprotoc20-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Development Tools 15 SP5 GA protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA python3-protobuf-3.9.2-150200.4.19.2 SUSE-SLE-Module-Basesystem-15-SP5-2023-2783 SUSE-SLE-Module-Public-Cloud-15-SP5-2023-2783
Installed version in the container: python3-protobuf-3.9.2-150200.4.21.1.x86_64
rpm -qf /usr/lib/python3.6/site-packages/protobuf-3.9.2-py3.6.egg-info/PKG-INFO
python3-protobuf-3.9.2-150200.4.21.1.x86_64
Conclusion: Installed version is greater than minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-protobuf=3.9.2-150200.4.21.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_python3-protobuf:v1" .
3) Test with Grype now
$ grype --distro sles15.5 suse15.5_python3-protobuf:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY protobuf 3.9.2 3.18.3 python GHSA-8gq9-2x98-w8hf High protobuf 3.9.2 3.15.0 python GHSA-77rm-9x9h-xj3g High
Environment: $ grype --version grype 0.76.0
In container image eco-system: bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"