Critical/High Severity issues reported by Snyk for postgres:15.6

IanT111 commented 8 months ago

Description

When performing a snyk IAC scan against the container image we are receiving 1 Critical and 1 High severity issues in v15.6

Steps to reproduce

snyk container test postgres:15.6 --severity-threshold=high

Expected behaviour

No high or critical vulnerabilities found

Actual behaviour

1 Critical and 1 High severity vulnerabilities found

Testing neo4j:5.18.1...

✗ High severity vulnerability found in systemd/libsystemd0
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-6277510
  Introduced through: apt@2.2.4, util-linux/bsdutils@1:2.36.1-8+deb11u1, util-linux/mount@2.36.1-8+deb11u1, procps@2:3.3.[17](https://github.com/SSEPLC/cceo-prod-private-container-image/actions/runs/8420409320/job/23055058492#step:6:18)-5, systemd/libudev1@247.3-7+deb11u4
  From: apt@2.2.4 > systemd/libsystemd0@247.3-7+deb11u4
  From: util-linux/bsdutils@1:2.36.1-8+deb11u1 > systemd/libsystemd0@247.3-7+deb11u4
  From: apt@2.2.4 > apt/libapt-pkg6.0@2.2.4 > systemd/libsystemd0@247.3-7+deb11u4
  and 5 more...
  Image layer: 'apt-get install -y curl gcc git jq make procps tini wget'

✗ Critical severity vulnerability found in zlib/zlib1g
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-ZLIB-6008961
  Introduced through: zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2
  From: zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2

yosifkit commented 8 months ago

1) there are no package updates available:

$ docker run -it --rm postgres:15 bash
Unable to find image 'postgres:15' locally
/usr/bin/docker-credential-desktop.exe: Invalid argument
15: Pulling from library/postgres
8a1e25ce7c4f: Already exists
b2be002daccf: Pull complete
71dff0956c31: Pull complete
962627501404: Pull complete
c23077a7a05a: Pull complete
40632b8e7084: Pull complete
cfbec5f1dac7: Pull complete
d1743de7c97b: Pull complete
c9cde040a07c: Pull complete
3a23a8d46005: Pull complete
f499f39f0f2d: Pull complete
2cf0f5381fa5: Pull complete
89f512733a11: Pull complete
45deb7326cc7: Pull complete
Digest: sha256:ea40a028dd42740d6cff34135ff6b3119ff7ce0ed60120d992216456b5987fe7
Status: Downloaded newer image for postgres:15
root@285d58b1b5ae:/# apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8,786 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [12.7 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [147 kB]
Get:7 http://apt.postgresql.org/pub/repos/apt bookworm-pgdg InRelease [123 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt bookworm-pgdg/main amd64 Packages [304 kB]
Get:9 http://apt.postgresql.org/pub/repos/apt bookworm-pgdg/15 amd64 Packages [2,594 B]
Fetched 9,630 kB in 2s (5,653 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@285d58b1b5ae:/# apt list --upgradeable
Listing... Done

2) https://security.snyk.io/vuln/SNYK-DEBIAN11-SYSTEMD-6277510 -> https://security-tracker.debian.org/tracker/CVE-2023-50868

As far as I can tell, this is a false positive for the libsystemd0 package; although it is built from the same source package (systemd), the vulnerability is in systemd-resolved (but maybe I am wrong).
Also, Debian Security Team has chosen not to backport a fix:

[bookworm] - systemd (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) 3) https://security.snyk.io/vuln/SNYK-DEBIAN11-ZLIB-6008961 -> https://security-tracker.debian.org/tracker/CVE-2023-45853
this one is not applicable since minizip is not built from the zlib source package

[bookworm] - zlib (contrib/minizip not built and producing binary packages)

Without fixes available in Debian packages, there is nothing we can do here.

yosifkit commented 8 months ago

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

docker-library / postgres