Apache critical vulnerabilities

[felixtech-msp]

The image php:8.1-apache contains an old version of the Apache2 webserver which has several critical vulnerabilities. CVE-2023-25690 and CVE-2023-27522 which have a CVSS score of 9.8 as well as CVE-2006-20001, CVE-2022-36760 and CVE-2022-37436 which are CVSS rated 9.0. Please upgrade the Apache2 version asap to the latest version, at least 2.4.56 which is the version all those vulnerabilities had been fixed. In the same go an upgrade to Debian Bookworm seems required as per https://security-tracker.debian.org/tracker/source-package/apache2 Bullseye seems not to upgrade Apache2 further, except Bullseye-Security does.

[tianon]

The images we've published have the latest version of apache2 provided by Debian:

$ docker run -it --rm --pull=always php:8.1-apache bash
8.1-apache: Pulling from library/php
Digest: sha256:fc0cf78af89a05c2c6fba8c795b843d2b5e3a95904fb17f9af9e0aa07f1bd7a7
Status: Image is up to date for php:8.1-apache
root@0614cca4fdc9:/var/www/html# apt update -qq
1 package can be upgraded. Run 'apt list --upgradable' to see it.
root@0614cca4fdc9:/var/www/html# apt list --upgradeable
Listing... Done
tzdata/stable-updates 2021a-1+deb11u9 all [upgradable from: 2021a-1+deb11u8]
N: There is 1 additional version. Please use the '-a' switch to see it
root@0614cca4fdc9:/var/www/html# apt list --upgradeable -a
Listing... Done
tzdata/stable-updates 2021a-1+deb11u9 all [upgradable from: 2021a-1+deb11u8]
tzdata/stable,now 2021a-1+deb11u8 all [installed,upgradable to: 2021a-1+deb11u9]
root@0614cca4fdc9:/var/www/html# dpkg -l apache2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-===============================
==
ii  apache2        2.4.56-1~deb11u1 amd64        Apache HTTP Server

• https://security-tracker.debian.org/tracker/CVE-2023-25690: already fixed in bullseye and our images
• https://security-tracker.debian.org/tracker/CVE-2023-27522: ditto
• https://security-tracker.debian.org/tracker/CVE-2006-20001: ditto
• https://security-tracker.debian.org/tracker/CVE-2022-36760: ditto
• https://security-tracker.debian.org/tracker/CVE-2022-37436: ditto...

Any security scanner which is reporting these vulnerabilities in our latest php:8.1-apache image is definitely giving you false positives and needs to update the way they manage/detect vulnerabilities in Debian-based images.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves