Description: It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
Exploitability: Remotely Exploitable
Solution: libgcrypt timing attack fixed in version 1.8.5+
Description: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Solution: For Debian 8 "Jessie", this problem has been fixed in version
1.42.12-2+deb8u1.
For the oldstable distribution (stretch), this problem has been fixed
in version 1.43.4-2+deb9u1.
For the stable distribution (buster), this problem has been fixed in
version 1.44.5-1+deb10u2.
We scanned the latest image as well but the issues were the same from Tenable Security. We also ran the latest image through another container scanning software we have access to called "Snyk" and there were a lot more vulnerabilities in that image from them.
Our security team is not approving this docker image from being installed in our K8s. Please submit an updated image that addresses these issues to docker hub.
VULNERABILITY ANALYSIS RESULTS:
DockerHub External Image: confluentinc/cp-schema-registry:5.4.0
[Vulnerability 01] TITLE: [linux] libgcrypt20 - CVE-2019-13627:
pkg: libgcrypt20: 1.6.3-2+deb8u5
Severity: High
Description: It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
Exploitability: Remotely Exploitable
Solution: libgcrypt timing attack fixed in version 1.8.5+
References:
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html http://www.openwall.com/lists/oss-security/2019/10/02/2 https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5
[Vulnerability 02] TITLE: [linux] libcomerr2 - CVE-2019-5094:
pkgs:
libcomerr2: 1.42.12-2+b1 e2fslibs: 1.42.12-2+b1 libss2: 1.42.12-2+b1 e2fsprogs: 1.42.12-2+b1
severity: Medium
Exploitability: Locally Exploitable, low complexity
Description: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Solution: For Debian 8 "Jessie", this problem has been fixed in version 1.42.12-2+deb8u1.
For the oldstable distribution (stretch), this problem has been fixed in version 1.43.4-2+deb9u1.
For the stable distribution (buster), this problem has been fixed in version 1.44.5-1+deb10u2.
References:
https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/ https://seclists.org/bugtraq/2019/Sep/58
Name: cp-schema-registry Tag: 5.4.0 Digest:sha256:6483e6258e517a2dec9d13d3e8b7fff2a963d9ec6f67bcac554b9fecd88d976b Status: scanned LastJobStatus: completed Score: score9 NumberOfVulns: 2 NumberOfMalware: 0 Source: pushed CreatedAt: 2020-02-06T18:06:53.269Z FinishedAt: 2020-02-06T18:29:50.303Z ImageHash: 27756bdebb20 Size: 1584 OS: Debian OSVersion: 8.11
We scanned the latest image as well but the issues were the same from Tenable Security. We also ran the latest image through another container scanning software we have access to called "Snyk" and there were a lot more vulnerabilities in that image from them.