search

criteo / cassandra_exporter

Apache Cassandra® metrics exporter for Prometheus
Apache License 2.0
171 stars 94 forks source link

Critical OS vulnerabilites in Docker image #110

Open elchenberg opened 2 years ago

elchenberg commented 2 years ago

Trivy detects 11 critical vulnerabilities in the operating system (packages) of the Docker image.

I do not know if there is a way to exploit them. For my peace of mind, I would like to get rid of them anyway. Please tell me if I should open a pull request.

Summary

With the following changes the number of OS-related critical vulnerabilities can be reduced from 11 to 1:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye

 ARG EXPORTER_VERSION=2.3.8

 RUN apt-get update && apt-get install -y --no-install-recommends \
                netcat \
+  && apt-get upgrade -y \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*

Caveat: I have not tested the resulting image.

Details

trivy image --severity=CRITICAL --vuln-type=os criteord/cassandra_exporter:2.3.8
criteord/cassandra_exporter:2.3.8 (debian 10.11)

Total: 11 (CRITICAL: 11)

┌───────────┬────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                             │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2021-33574 │ CRITICAL │ 2.28-10           │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin  │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-33574 │          │                   │                  │ glibc: mq_notify does not handle separately allocated thread │
│           │                │          │                   │                  │ attributes                                                   │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-33574                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2021-35942 │ CRITICAL │ 2.28-10           │                  │ glibc: Arbitrary read in wordexp()                           │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2021-35942                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6     │ CVE-2022-23218 │ CRITICAL │ 2.28-10           │                  │ glibc: Stack-based buffer overflow in svcunix_create via     │
│           │                │          │                   │                  │ long pathnames                                               │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23218                   │
│           ├────────────────┤          │                   ├──────────────────┼──────────────────────────────────────────────────────────────┤
│           │ CVE-2022-23219 │          │                   │                  │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│           │                │          │                   │                  │ a long pathname                                              │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-23219                   │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3  │ CVE-2019-8457  │ CRITICAL │ 5.3.28+dfsg1-0.5  │                  │ sqlite: heap out-of-bound read in function rtreenode()       │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
├───────────┼────────────────┤          ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292  │          │ 1.1.1d-0+deb10u8  │ 1.1.1n-0+deb10u2 │ openssl: c_rehash script allows command injection            │
│           │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
├───────────┤                │          │                   │                  │                                                              │
│ openssl   │                │          │                   │                  │                                                              │
│           │                │          │                   │                  │                                                              │
└───────────┴────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘

By using a bullseye base image instead of the buster base image the number of critical vulnerabilities can be reduced to 3:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..aff83b3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
trivy image --severity=CRITICAL --vuln-type=os $(docker build --quiet --file docker/Dockerfile .)
sha256:156f7d236a8a5153f3e5f3ceadb5fac424c7933794f408599a1f79f0e7b66a3d (debian 11.3)

Total: 3 (CRITICAL: 3)

┌───────────┬───────────────┬──────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability │ Severity │ Installed Version │  Fixed Version   │                         Title                          │
├───────────┼───────────────┼──────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3  │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8  │                  │ sqlite: heap out-of-bound read in function rtreenode() │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2019-8457              │
├───────────┼───────────────┤          ├───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │          │ 1.1.1n-0+deb11u1  │ 1.1.1n-0+deb11u2 │ openssl: c_rehash script allows command injection      │
│           │               │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-1292              │
├───────────┤               │          │                   │                  │                                                        │
│ openssl   │               │          │                   │                  │                                                        │
│           │               │          │                   │                  │                                                        │
└───────────┴───────────────┴──────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────┘

And with adding apt-get upgrade to the mix the number can be reduced to 1:

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye

 ARG EXPORTER_VERSION=2.3.8

 RUN apt-get update && apt-get install -y --no-install-recommends \
                netcat \
+  && apt-get upgrade -y \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
sha256:24f8301b5d6ce4da428a90eff88114627dee653418ea0308b103896d2bd740db (debian 11.3)

Total: 1 (CRITICAL: 1)

┌──────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├──────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8  │               │ sqlite: heap out-of-bound read in function rtreenode() │
│          │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457              │
└──────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘