Closed trottomv closed 7 months ago
trottomv
commented
7 months ago | Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|---|
| libnghttp2-14 | CVE-2023-44487 | HIGH | fixed | 1.52.0-1 | 1.52.0-1+deb12u1 | HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack... Link |
LaurentGoderre
commented
7 months ago I believe this was fixed by an update to the underlying Debian
yosifkit
commented
7 months ago libnghttp2-14 isn't installed in the python:3.11-slim-bookworm image:
$ docker run -it --rm python:3.11-slim-bookworm bash
Unable to find image 'python:3.11-slim-bookworm' locally
3.11-slim-bookworm: Pulling from library/python
1f7ce2fa46ab: Already exists
442c5d63eafd: Pull complete
c3aa3af0d581: Pull complete
4bfbe15b3e01: Pull complete
848d19a36773: Pull complete
Digest: sha256:cc758519481092eb5a4a5ab0c1b303e288880d59afc601958d19e95b300bc86b
Status: Downloaded newer image for python:3.11-slim-bookworm
root@c1ee9f1d62aa:/# dpkg -l | grep libnghttp
root@c1ee9f1d62aa:/#buildpack-deps:curl image as a dependency of curl
$ docker run -it --rm python:3.11-bookworm bash
root@93ca126589b0:/# dpkg -l | grep libnghttp
ii libnghttp2-14:amd64 1.52.0-1 amd64 library implementing HTTP/2 protocol (shared library)
$ docker run -it --rm debian:bookworm
root@d8d9bad8e55a:/# apt-get update
...
root@d8d9bad8e55a:/# apt install --no-install-recommends curl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libbrotli1 libcurl4 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.5-0 libnghttp2-14 libpsl5
librtmp1 libsasl2-2 libsasl2-modules-db libssh2-1 libssl3
Suggested packages:
krb5-doc krb5-user
Recommended packages:
ca-certificates krb5-locales libldap-common publicsuffix libsasl2-modules
The following NEW packages will be installed:
curl libbrotli1 libcurl4 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.5-0 libnghttp2-14 libpsl5
librtmp1 libsasl2-2 libsasl2-modules-db libssh2-1 libssl3
0 upgraded, 16 newly installed, 0 to remove and 0 not upgraded.
Need to get 4219 kB of archives.
After this operation, 11.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] ^Ccurl isn't a webserver, so I don't see how it can be exploited by this CVE. I would conclude that unless you are installing something else that depends on libnghttp2-14 and are using it to run a webserver, then the described problem in CVE-2023-44487 is never "exploitable".
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame.
To ensure that we don't push contentless image changes, we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
The last Debian update was 2 weeks ago, so the next will likely be within the next 2 weeks or so and the dependent image rebuilds will include this and any other fixes available.
trottomv
commented
7 months ago @yosifkit you're right, sorry, I've the alert on libnghttp2-14 from vulnerability assessment into my Dockerfile that use python:3.11-slim-bookworm as base image. But it could be a sub dependency of curl, for sure.