Update Apache image to 2.4.55 for critical vulnerabilities

[amccoy95]

Our security scan has detected vulnerabilites with a critical status for the wordpress:apache image. It's recommendation is to bump the Apache version from 2.4.x to 2.4.55.

The scan picked up the vulnerability on the 23rd January.

[yosifkit]

The Apache httpd package comes from Debian packages and there are no apache2 updates available. If you have the CVE number, then you can look at the Debian security team source package page to see why it isn't updated in Debian or why it was already backported.

 $ docker run -it --rm php:apache bash
Unable to find image 'php:apache' locally
apache: Pulling from library/php
bb263680fed1: Already exists 
0825793cba86: Pull complete 
de3c011d207b: Pull complete 
7e3c5bd9650e: Pull complete 
40c3827232f7: Pull complete 
1fdaec518652: Pull complete 
5bfea1d79d41: Pull complete 
3ff9593637da: Pull complete 
21510ed5c521: Pull complete 
19fc153c1158: Pull complete 
8a588ece2744: Pull complete 
7efcf7ed3ac8: Pull complete 
008699d6a3e9: Pull complete 
Digest: sha256:05d6dd71d835cca64e2cf4bbd72a28f06d3c22434c17df5b86f92f8b42cfdca2
Status: Downloaded newer image for php:apache
root@8a348094662e:/var/www/html# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [229 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
Fetched 8635 kB in 1s (6869 kB/s)                         
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
6 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@8a348094662e:/var/www/html# apt list --upgradable
Listing... Done
curl/stable-security 7.74.0-1.3+deb11u7 amd64 [upgradable from: 7.74.0-1.3+deb11u5]
libaprutil1-dbd-sqlite3/stable-security 1.6.1-5+deb11u1 amd64 [upgradable from: 1.6.1-5]
libaprutil1-ldap/stable-security 1.6.1-5+deb11u1 amd64 [upgradable from: 1.6.1-5]
libaprutil1/stable-security 1.6.1-5+deb11u1 amd64 [upgradable from: 1.6.1-5]
libcurl4/stable-security 7.74.0-1.3+deb11u7 amd64 [upgradable from: 7.74.0-1.3+deb11u5]
libgnutls30/stable-security 3.7.1-5+deb11u3 amd64 [upgradable from: 3.7.1-5+deb11u2]

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

There is a debian image update today and then we will rebuild all official images FROM them, so any available updates will be included.

[erik-icss]

I am using wordpress:latest (pulled today Feb 1st) and I just ran a PenTest scan by intruder.io. I am still getting this Apache vulnerability alert.

Should I open a new issue?

[tianon]

Instead of opening a new issue, you should look up the CVE in question at https://security-tracker.debian.org/tracker/ and see if Debian has fixed it (because it's very likely that Debian fixed it and your tool is doing naïve parsing of the version number reported by Apache where Debian usually backports security-related patches without updating the version number; as noted above, see also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves).

[tianon]

(That's also where you'll find the Debian Security Team's notes on why they didn't fix it, if that ends up being the case.)

[erik-icss]

Apparently these 3:

https://nvd.nist.gov/vuln/detail/CVE-2023-31122 https://nvd.nist.gov/vuln/detail/CVE-2023-43622 https://nvd.nist.gov/vuln/detail/CVE-2023-45802

Apache has already fixed them in v2.4.58 https://httpd.apache.org/security/vulnerabilities_24.html

Latest Wordpress pulls php:8.2-apache which still uses 2.4.57

[tianon]

https://security-tracker.debian.org/tracker/CVE-2023-31122 -- Debian has no plans to fix

[bookworm] - apache2 <no-dsa> (Minor issue)
[bullseye] - apache2 <no-dsa> (Minor issue)

https://security-tracker.debian.org/tracker/CVE-2023-43622 -- same

[bookworm] - apache2 <no-dsa> (Minor issue)
[bullseye] - apache2 <no-dsa> (Minor issue)

https://security-tracker.debian.org/tracker/CVE-2023-45802 -- same

[bookworm] - apache2 <no-dsa> (Minor issue)
[bullseye] - apache2 <no-dsa> (Minor issue)