tini-static binary is vulnerable to a bunch of CVEs

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes

https://argo-cd.readthedocs.io

Apache License 2.0

17.4k stars 5.29k forks source link

tini-static binary is vulnerable to a bunch of CVEs #19574

Closed xiaoyaozibc closed 2 weeks ago

xiaoyaozibc commented 3 weeks ago

Checklist:

[X] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
[X] I've included steps to reproduce the bug.
[x] I've pasted the output of argocd version.

Describe the bug

I've used vmware osspi tool to scan multiple argocd versions (v2.10.3, v2.10.16, v2.11.7, v2.12.1), all of them show the usr/bin/tini-static binary has 6 critical and 31 total vulnerabilities. It seems the tini-static binary is built with an old version of glibc, which is the vulnerable package. What is the use of tini-static binary in ArgoCD? Could you upgrade the binary to resolve some of the CVEs?

To Reproduce

Scan ArgoCD v2.12.1 with osspi tool

Expected behavior

Fewer critical CVEs

Screenshots

Screenshot 2024-08-16 at 3 31 27 PM Screenshot 2024-08-16 at 3 33 32 PM

Version

v2.12.1

jannfis commented 3 weeks ago

tini-static apparently comes with the tini package. We do not use tini-static anywhere. We do however use its dynamically linked sibling /usr/bin/tini as a wrapper for the container image's entrypoint to act as an init replacement for proper signal handling and process reaping.

I do believe your scanner's alert is a false positive, because tini-static should be linked against the same glibc objects as come with the distribution. I wonder how the scanner detects which particular version of glibc the binary was statically linked with.

xiaoyaozibc commented 3 weeks ago

Thanks @jannfis for the information! The scanner didn't really say which glibc version was linked with, but from the revealed vulnerabilities (e.g., https://nvd.nist.gov/vuln/detail/CVE-2021-33574), it seems the version is 2.32 or 2.33, which was pretty old (4 years ago). I saw the tini project (https://github.com/krallin/tini) was not very active, the release v0.19.0 was also from 4 years ago. No wonder that the static binary is built with old glibc version that is prone to a bunch of vulnerabilities. Is there a way to mitigate the issue? If tini-static is not used anywhere, can we remove the binary from the argocd image?

jannfis commented 2 weeks ago

I'm still pretty sure that your scanner is triggering a false positive. Are you using a custom image?

Anyhow, you can remove tini-static from your image without side effects.

xiaoyaozibc commented 2 weeks ago

I'm using the official image. Sure I'll try remove the tini-static binary if I have to. Thanks!