search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://trivy.dev
Apache License 2.0
23.9k stars 2.35k forks source link

CVE-2021-32760 in trivy binary #1226

Closed 4x0v7 closed 3 years ago

4x0v7 commented 3 years ago

Description

Failing pipeline example https://gitlab.com/4x0v7/yamllint/-/jobs/1572999553

What did you expect to happen?

No CVEs detected

What happened instead?

CVE-2021-32760 detected in trivy binary

Output of run with -debug:

Step 3/5 : RUN wget -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin     && trivy --debug filesystem --exit-code 1 --no-progress /     && trivy --reset     && rm -rf /usr/local/bin/trivy     && rm -rf /root/.cache
 ---> Running in c751c0d62b09
aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy info found version: 0.19.2 for v0.19.2/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy
2021-09-09T06:55:04.425Z    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-09-09T06:55:04.436Z    DEBUG   cache dir:  /root/.cache/trivy
2021-09-09T06:55:04.437Z    DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2021-09-09T06:55:04.438Z    INFO    Need to update DB
2021-09-09T06:55:04.438Z    INFO    Downloading DB...
2021-09-09T06:55:04.439Z    DEBUG   no metadata file
2021-09-09T06:55:04.634Z    DEBUG   release name: v1-2021090906
2021-09-09T06:55:04.634Z    DEBUG   asset name: trivy-light-offline.db.tgz
2021-09-09T06:55:04.635Z    DEBUG   file name doesn't match
2021-09-09T06:55:04.635Z    DEBUG   asset name: trivy-light.db.gz
2021-09-09T06:55:04.636Z    DEBUG   file name doesn't match
2021-09-09T06:55:04.636Z    DEBUG   asset name: trivy-offline.db.tgz
2021-09-09T06:55:04.637Z    DEBUG   file name doesn't match
2021-09-09T06:55:04.637Z    DEBUG   asset name: trivy.db.gz
2021-09-09T06:55:04.653Z    DEBUG   asset URL: https://github-releases.githubusercontent.com/216830441/c41e188d-cdcf-42e3-bb3f-bf13be35ced3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210909%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210909T065410Z&X-Amz-Expires=300&X-Amz-Signature=b1a55de6b122a5a22221d86fe9790aec04202ecc864b38a1f41a060f913f7d74&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
2021-09-09T06:55:06.349Z    DEBUG   Updating database metadata...
2021-09-09T06:55:06.351Z    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-09-09 06:05:22.068492507 +0000 UTC, NextUpdate: 2021-09-09 12:05:22.068492007 +0000 UTC, DownloadedAt: 2021-09-09 06:55:06.35083651 +0000 UTC
2021-09-09T06:55:06.351Z    DEBUG   Vulnerability type:  [os library]
2021-09-09T06:55:06.405Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/lib2to3/pgen2/token.py: failed to parse usr/local/lib/python3.9/lib2to3/pgen2/token.py: unrecognized executable format
2021-09-09T06:55:06.406Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/makesetup: failed to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/makesetup: unrecognized executable format
2021-09-09T06:55:06.407Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/python-config.py: failed to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/python-config.py: unrecognized executable format
2021-09-09T06:55:06.407Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/install-sh: failed to parse usr/local/lib/python3.9/config-3.9-x86_64-linux-gnu/install-sh: unrecognized executable format
2021-09-09T06:55:06.408Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/trace.py: failed to parse usr/local/lib/python3.9/trace.py: unrecognized executable format
2021-09-09T06:55:06.409Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/pdb.py: failed to parse usr/local/lib/python3.9/pdb.py: unrecognized executable format
2021-09-09T06:55:06.410Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/tarfile.py: failed to parse usr/local/lib/python3.9/tarfile.py: unrecognized executable format
2021-09-09T06:55:06.410Z    DEBUG   Analysis error: unable to parse etc/ssl/misc/tsget.pl: failed to parse etc/ssl/misc/tsget.pl: unrecognized executable format
2021-09-09T06:55:06.410Z    DEBUG   Analysis error: unable to parse etc/ssl/misc/CA.pl: failed to parse etc/ssl/misc/CA.pl: unrecognized executable format
2021-09-09T06:55:06.410Z    DEBUG   Analysis error: unable to parse etc/network/if-up.d/dad: failed to parse etc/network/if-up.d/dad: unrecognized executable format
2021-09-09T06:55:06.412Z    DEBUG   Analysis error: unable to parse etc/ca-certificates/update.d/certhash: failed to parse etc/ca-certificates/update.d/certhash: unrecognized executable format
2021-09-09T06:55:06.412Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/pydoc.py: failed to parse usr/local/lib/python3.9/pydoc.py: unrecognized executable format
2021-09-09T06:55:06.413Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/webbrowser.py: failed to parse usr/local/lib/python3.9/webbrowser.py: unrecognized executable format
2021-09-09T06:55:06.526Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/quopri.py: failed to parse usr/local/lib/python3.9/quopri.py: unrecognized executable format
2021-09-09T06:55:06.527Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/cProfile.py: failed to parse usr/local/lib/python3.9/cProfile.py: unrecognized executable format
2021-09-09T06:55:06.528Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/cgi.py: failed to parse usr/local/lib/python3.9/cgi.py: unrecognized executable format
2021-09-09T06:55:06.533Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/timeit.py: failed to parse usr/local/lib/python3.9/timeit.py: unrecognized executable format
2021-09-09T06:55:06.534Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/encodings/rot_13.py: failed to parse usr/local/lib/python3.9/encodings/rot_13.py: unrecognized executable format
2021-09-09T06:55:06.535Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/smtplib.py: failed to parse usr/local/lib/python3.9/smtplib.py: unrecognized executable format
2021-09-09T06:55:06.536Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/base64.py: failed to parse usr/local/lib/python3.9/base64.py: unrecognized executable format
2021-09-09T06:55:06.539Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/platform.py: failed to parse usr/local/lib/python3.9/platform.py: unrecognized executable format
2021-09-09T06:55:06.541Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/idlelib/pyshell.py: failed to parse usr/local/lib/python3.9/idlelib/pyshell.py: unrecognized executable format
2021-09-09T06:55:06.542Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/bytedesign.py: failed to parse usr/local/lib/python3.9/turtledemo/bytedesign.py: unrecognized executable format
2021-09-09T06:55:06.542Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/forest.py: failed to parse usr/local/lib/python3.9/turtledemo/forest.py: unrecognized executable format
2021-09-09T06:55:06.543Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/fractalcurves.py: failed to parse usr/local/lib/python3.9/turtledemo/fractalcurves.py: unrecognized executable format
2021-09-09T06:55:06.543Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/clock.py: failed to parse usr/local/lib/python3.9/turtledemo/clock.py: unrecognized executable format
2021-09-09T06:55:06.544Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/minimal_hanoi.py: failed to parse usr/local/lib/python3.9/turtledemo/minimal_hanoi.py: unrecognized executable format
2021-09-09T06:55:06.544Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/sorting_animate.py: failed to parse usr/local/lib/python3.9/turtledemo/sorting_animate.py: unrecognized executable format
2021-09-09T06:55:06.545Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/yinyang.py: failed to parse usr/local/lib/python3.9/turtledemo/yinyang.py: unrecognized executable format
2021-09-09T06:55:06.546Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/lindenmayer.py: failed to parse usr/local/lib/python3.9/turtledemo/lindenmayer.py: unrecognized executable format
2021-09-09T06:55:06.546Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/peace.py: failed to parse usr/local/lib/python3.9/turtledemo/peace.py: unrecognized executable format
2021-09-09T06:55:06.547Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/penrose.py: failed to parse usr/local/lib/python3.9/turtledemo/penrose.py: unrecognized executable format
2021-09-09T06:55:06.547Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/planet_and_moon.py: failed to parse usr/local/lib/python3.9/turtledemo/planet_and_moon.py: unrecognized executable format
2021-09-09T06:55:06.548Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/paint.py: failed to parse usr/local/lib/python3.9/turtledemo/paint.py: unrecognized executable format
2021-09-09T06:55:06.549Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/tree.py: failed to parse usr/local/lib/python3.9/turtledemo/tree.py: unrecognized executable format
2021-09-09T06:55:06.550Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/turtledemo/__main__.py: failed to parse usr/local/lib/python3.9/turtledemo/__main__.py: unrecognized executable format
2021-09-09T06:55:06.552Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/smtpd.py: failed to parse usr/local/lib/python3.9/smtpd.py: unrecognized executable format
2021-09-09T06:55:06.553Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/ctypes/macholib/fetch_macholib: failed to parse usr/local/lib/python3.9/ctypes/macholib/fetch_macholib: unrecognized executable format
2021-09-09T06:55:06.553Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/socket.py: failed to parse usr/local/lib/python3.9/socket.py: unrecognized executable format
2021-09-09T06:55:06.553Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/profile.py: failed to parse usr/local/lib/python3.9/profile.py: unrecognized executable format
2021-09-09T06:55:06.554Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/tabnanny.py: failed to parse usr/local/lib/python3.9/tabnanny.py: unrecognized executable format
2021-09-09T06:55:06.609Z    DEBUG   Analysis error: unable to parse usr/local/lib/python3.9/uu.py: failed to parse usr/local/lib/python3.9/uu.py: unrecognized executable format
2021-09-09T06:55:06.619Z    DEBUG   Analysis error: unable to parse usr/local/bin/2to3-3.9: failed to parse usr/local/bin/2to3-3.9: unrecognized executable format
2021-09-09T06:55:06.643Z    DEBUG   Analysis error: unable to parse usr/local/bin/normalizer: failed to parse usr/local/bin/normalizer: unrecognized executable format
2021-09-09T06:55:06.645Z    DEBUG   Analysis error: unable to parse usr/bin/ldd: failed to parse usr/bin/ldd: unrecognized executable format
2021-09-09T06:55:06.661Z    DEBUG   Analysis error: unable to parse usr/share/udhcpc/default.script: failed to parse usr/share/udhcpc/default.script: unrecognized executable format
2021-09-09T06:55:06.664Z    DEBUG   Analysis error: unable to parse usr/local/bin/yamllint: failed to parse usr/local/bin/yamllint: unrecognized executable format
2021-09-09T06:55:06.665Z    DEBUG   Analysis error: unable to parse usr/local/bin/wheel: failed to parse usr/local/bin/wheel: unrecognized executable format
2021-09-09T06:55:06.665Z    DEBUG   Analysis error: unable to parse usr/local/bin/pip3.9: failed to parse usr/local/bin/pip3.9: unrecognized executable format
2021-09-09T06:55:06.665Z    DEBUG   Analysis error: unable to parse usr/local/bin/pip: failed to parse usr/local/bin/pip: unrecognized executable format
2021-09-09T06:55:06.666Z    DEBUG   Analysis error: unable to parse usr/local/bin/pip3: failed to parse usr/local/bin/pip3: unrecognized executable format
2021-09-09T06:55:06.666Z    DEBUG   Analysis error: unable to parse usr/local/bin/python3.9-config: failed to parse usr/local/bin/python3.9-config: unrecognized executable format
2021-09-09T06:55:06.667Z    DEBUG   Analysis error: unable to parse usr/local/bin/idle3.9: failed to parse usr/local/bin/idle3.9: unrecognized executable format
2021-09-09T06:55:06.667Z    DEBUG   Analysis error: unable to parse usr/local/bin/pydoc3.9: failed to parse usr/local/bin/pydoc3.9: unrecognized executable format
2021-09-09T06:55:06.737Z    DEBUG   Analysis error: unable to parse .dockerenv: failed to parse .dockerenv: EOF
2021-09-09T06:55:06.757Z    DEBUG   Analysis error: unable to parse sbin/ldconfig: failed to parse sbin/ldconfig: unrecognized executable format
2021-09-09T06:55:06.808Z    INFO    Detected OS: alpine
2021-09-09T06:55:06.809Z    INFO    Detecting Alpine vulnerabilities...
2021-09-09T06:55:06.809Z    DEBUG   alpine: os version: 3.14
2021-09-09T06:55:06.810Z    DEBUG   alpine: the number of packages: 36
2021-09-09T06:55:06.811Z    INFO    Number of language-specific files: 1
2021-09-09T06:55:06.812Z    INFO    Detecting gobinary vulnerabilities...
2021-09-09T06:55:06.812Z    DEBUG   Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/trivy
c751c0d62b09 (alpine 3.14.2)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/trivy (gobinary)
==============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.4.4            | v1.4.8, v1.5.4 | containerd: pulling and               |
|                                  |                  |          |                   |                | extracting crafted container          |
|                                  |                  |          |                   |                | image may result in Unix file...      |
|                                  |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
The command '/bin/sh -c wget -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin     && trivy --debug filesystem --exit-code 1 --no-progress /     && trivy --reset     && rm -rf /usr/local/bin/trivy     && rm -rf /root/.cache' returned a non-zero code: 1

Output of trivy -v:

0.19.2

Additional details (base image name, container registry info...):

BenoitKnecht commented 3 years ago

The container image itself also contains vulnerabilities, some of which are critical:

$ podman run --rm ghcr.io/aquasecurity/trivy:0.19.2 fs --no-progress /
2021-09-14T06:14:57.874Z    INFO    Need to update DB
2021-09-14T06:14:57.874Z    INFO    Downloading DB...
2021-09-14T06:15:00.972Z    INFO    Detected OS: alpine
2021-09-14T06:15:00.972Z    INFO    Detecting Alpine vulnerabilities...
2021-09-14T06:15:00.976Z    INFO    Number of language-specific files: 1
2021-09-14T06:15:00.977Z    INFO    Detecting gobinary vulnerabilities...

d9c16c397247 (alpine 3.14.0)
============================
Total: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 2, CRITICAL: 3)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.12.5-r1         | 2.12.6-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    |          | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcurl      | CVE-2021-22922   | MEDIUM   | 7.77.0-r1         | 7.78.0-r0     | curl: Content not matching hash       |
|              |                  |          |                   |               | in Metalink is not being discarded    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22922 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-22923   |          |                   |               | curl: Metalink download               |
|              |                  |          |                   |               | sends credentials                     |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22923 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-22925   |          |                   |               | curl: Incorrect fix for               |
|              |                  |          |                   |               | CVE-2021-22898 TELNET                 |
|              |                  |          |                   |               | stack contents disclosure             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22925 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-22924   | LOW      |                   |               | curl: Bad connection reuse            |
|              |                  |          |                   |               | due to flawed path name checks        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-22924 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-3712    | HIGH     |                   |               | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/local/bin/trivy (gobinary)
==============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.4.4            | v1.4.8, v1.5.4 | containerd: pulling and               |
|                                  |                  |          |                   |                | extracting crafted container          |
|                                  |                  |          |                   |                | image may result in Unix file...      |
|                                  |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+

Same with ghcr.io/aquasecurity/trivy:latest.