Latest 1.6.19 image has Non-fixable CVEs reported

[infa-rahusingh]

Hi, Below CVEs are reported in the latest 1.6.19 image. These needs to be taken care as part of governance as memcached is being used across our k8s containers

CVE-2019-8457 CVE-2022-1304 CVE-2020-16156 CVE-2021-33560 CVE-2022-29458 CVE-2005-2541 CVE-2019-1010022 CVE-2019-1010023 CVE-2017-7245 CVE-2019-19882 CVE-2017-7246 CVE-2018-6829 CVE-2018-20796 CVE-2011-4116 CVE-2019-9192 CVE-2018-5709 CVE-2019-20838 CVE-2017-11164 CVE-2016-2781 CVE-2020-13529 CVE-2007-6755 CVE-2017-16231 CVE-2022-0563 CVE-2019-1010025 CVE-2019-1010024 CVE-2007-5686 CVE-2013-4235 CVE-2017-18018 CVE-2011-3389 CVE-2010-4756 CVE-2010-0928 CVE-2011-3374 CVE-2021-36087 CVE-2013-4392 CVE-2021-36085 CVE-2021-36084 CVE-2021-36086

[tianon]

If they're "non-fixable", I'm not sure what you're expecting us to do about them? :sweat_smile:

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

[yosifkit]

The images are based upon Debian Bullseye and all packages are as up to date as they can be. The Debian Security team is very proactive on security updates and doing backported fixes for important/exploitable vulnerabilities.

Let's look at one: https://security-tracker.debian.org/tracker/CVE-2010-0928

• CVE description:

  OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA [....] physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor

• security team note:

  somewhat impractical right now, but the openssl developers are working on a fix just in case

I doubt that this matters to any production deployment. It should probably be ignored by scanners. Even Red Hat didn't apply a fix for it (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0928):

CVE-2010-0928 describes a fault-based attack on OpenSSL where an attacker has precise control over the target system environment in order to be able to introduce faults through power supply manipulation.

The Red Hat Security Response Team has rated this issue as having low security impact, as the attack is not a viable threat to OpenSSL as used in Red Hat products.

[CashWilliams]

Why can't this be switched to Debian Bookworm (most of the CVEs I spot checked are fixed in Bookworm)?

[tianon]

There probably aren't any technical blockers to switching. The primary reason we haven't switched yet is because Bookworm isn't officially released yet, which very notably means it is not yet officially supported by the Debian Security Team (so we'd be in a net slightly worse security position until it becomes GA).