search

docker-library / cassandra

Docker Official Image packaging for Cassandra
Apache License 2.0
262 stars 281 forks source link

Vulnerabilities in Docker images 3.0 and 3.11 #194

Closed missingdays closed 4 years ago

missingdays commented 4 years ago

We found several vulnerabilities in Cassandra images 3.0 and 3.11

They are mostly coming from debian base image

Is there a way you could either upgrade them to newer versions or remove this packages when building Docker image?

The full list of found vulnerabilities:

In package coreutils@8.26-3:

In package perl@5.24.1-3+deb9u5

In package python@2.7.13-2

In package sensible-utils@0.0.9+deb9u1

In package tar@1.29b-1.1

wglambert commented 4 years ago

See https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185. And https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

https://security-tracker.debian.org/tracker/CVE-2017-18018 Unfixed, Neutralised by kernel hardening

https://security-tracker.debian.org/tracker/CVE-2017-12814 fixed, windows specific issue

https://security-tracker.debian.org/tracker/CVE-2017-12837 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2017-12883 fixed, windows specific issue

https://security-tracker.debian.org/tracker/CVE-2018-6797 vulnerable in jessie, which we don't have a variant of (Regular security support updates have been discontinued as of June 17th, 2018.) https://security-tracker.debian.org/tracker/CVE-2018-6798 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-6913 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-12015 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-18311 vulnerable in jessie, which we don't have a variant of

https://security-tracker.debian.org/tracker/CVE-2018-18312 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2018-18313 fixed 5.24.1-3+deb9u5

https://security-tracker.debian.org/tracker/CVE-2013-7338 fixed 2.7.13-2+deb9u3

https://security-tracker.debian.org/tracker/CVE-2015-5652 NOT-FOR-US: Python on Windows

https://security-tracker.debian.org/tracker/CVE-2016-1494 (python-rsa) fixed 3.4.2-1

https://security-tracker.debian.org/tracker/CVE-2017-17522

a software maintainer indicates that exploitation is impossible because the code relies on subprocess

https://security-tracker.debian.org/tracker/CVE-2017-18207

the vendor disputes this issue Nonsense report for Python

https://security-tracker.debian.org/tracker/CVE-2018-1000030 vulnerable, there's nothing actionable for us to do

The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code No practical security impact, why DWF assigned a CVE ID is hard to tell

https://security-tracker.debian.org/tracker/CVE-2019-9636 vulnerable, there's nothing actionable for us to do

Improper Handling of Unicode Encoding A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host

https://security-tracker.debian.org/tracker/CVE-2019-9740 vulnerable, there's nothing actionable for us to do

(Minor issue) CRLF injection is possible if the attacker controls a url parameter

https://security-tracker.debian.org/tracker/CVE-2019-9947 vulnerable, there's nothing actionable for us to do

(Minor issue) CRLF injection is possible if the attacker controls a url parameter

https://security-tracker.debian.org/tracker/CVE-2019-9948 vulnerable, there's nothing actionable for us to do

(Minor issue) urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file

https://security-tracker.debian.org/tracker/CVE-2017-17512 fixed, 0.0.9+deb9u1

https://security-tracker.debian.org/tracker/CVE-2018-20482 vulnerable, there's nothing actionable for us to do

(Minor issue) when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service

https://security-tracker.debian.org/tracker/CVE-2019-9923 vulnerable, there's nothing actionable for us to do

Crash in CLI tool, no security impact pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

I don't see anything actionable for us

missingdays commented 4 years ago

Thank you for your thorough answer!

I see that in case of perl@5.24.1-3+deb9u5 and sensible-utils@0.0.9+deb9u1 fixes were backported, but the tool parses this versions as 5.24.1 and 0.0.9 and considers them vulnerable

In case of tar, is there a way you could upgrade it to version 1.30+dfsg-6 to fix CVE-2018-20482? I understand that this version is not in stretch release, but there are ways to install specific packages from newer versions

tianon commented 4 years ago

No, we aren't going to backport versions of packages just to satisfy a CVE scanner tool -- the tool should be updated to be aware of Debian's version numbering and incorporate the (freely available) Debian security database to determine whether a given CVE is actually actionable.