mthalman
commented
1 year ago None of those listed vulnerabilities is actionable. See analysis below for more detail. Most of these indicate versions that already exist in the image. Make sure you're building on top of the latest version of the image. It was last updated a week ago. I'm going to close this since there's no action to take here but feel free to respond if you have questions.
gzip Improper Input Validation CVE-2022-1271, CVSS 8.8 HIGH SNYK-DEBIAN11-GZIP-2444256 gzip@1.10-4 Fixed in gzip@1.10-4+deb11u1 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list gzip
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
gzip/now 1.10-4+deb11u1 amd64 [installed,local]libtasn1-6 Out-of-bounds Read CVE-2021-46848 SNYK-DEBIAN11-LIBTASN16-3061097 CVSS 9.1 CRITICAL libtasn1-6@4.16.0-2 and apt@2.2.4 Fixed in Libtasn1@4.19.0 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
No fix is available for Debian 11 (Bullseye): https://security-tracker.debian.org/tracker/CVE-2021-46848. They've classified it as a minor issue.
dpkg Directory Traversal CVE-2022-1664 SNYK-DEBIAN11-DPKG-2847942 CVSS 9.8 CRITICAL meta-common-packages@meta Fixed in dpkg@1.20.10 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list dpkg
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
dpkg/now 1.20.12 amd64 [installed,local]openssl OS Command Injection CVE-2022-2068 SNYK-DEBIAN11-OPENSSL-2933518 CVSS 9.8 CRITICAL openssl/libssl1.1@1.1.1n-0+deb11u1, ca-certificates@20210119 and others Fixed in openssl@1.1.1n-0+deb11u3 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list openssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
openssl/now 1.1.1n-0+deb11u3 amd64 [installed,local]openssl OS Command Injection CVE-2022-1292 CVSS 9.8 CRITICAL openssl/libssl1.1@1.1.1n-0+deb11u1, ca-certificates@20210119 and others Fixed in openssl@1.1.1n-0+deb11u2 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list openssl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
openssl/now 1.1.1n-0+deb11u3 amd64 [installed,local]zlib/zlib1g Out-of-bounds Write CVE-2022-37434 SNYK-DEBIAN11-ZLIB-2976151 CVSS 9.8 CRITICAL meta-common-packages@meta Fixed in zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list zlib1g
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
zlib1g/now 1:1.2.11.dfsg-2+deb11u2 amd64 [installed,local]pcre2/libpcre2-8-0 Out-of-bounds Read CVE-2022-1586 SNYK-DEBIAN11-PCRE2-2808704 CVSS 9.1 CRITICAL meta-common-packages@meta Fixed in pcre2/libpcre2-8-0@10.36-2+deb11u1 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Image is already up-to-date with that version:
C:\>docker run --rm mcr.microsoft.com/dotnet/aspnet:6.0 apt list libpcre2-8-0
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Listing...
libpcre2-8-0/now 10.36-2+deb11u1 amd64 [installed,local]
Hi,
Describe the Bug
mcr.microsoft.com/dotnet/aspnet:6.0 docker image uses deprecated versions of several dependencies that have been flagged by our dependency's scanners:
gzip Improper Input Validation CVE-2022-1271, CVSS 8.8 HIGH SNYK-DEBIAN11-GZIP-2444256 gzip@1.10-4 Fixed in gzip@1.10-4+deb11u1 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
libtasn1-6 Out-of-bounds Read CVE-2021-46848 SNYK-DEBIAN11-LIBTASN16-3061097 CVSS 9.1 CRITICAL libtasn1-6@4.16.0-2 and apt@2.2.4 Fixed in Libtasn1@4.19.0 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
dpkg Directory Traversal CVE-2022-1664 SNYK-DEBIAN11-DPKG-2847942 CVSS 9.8 CRITICAL meta-common-packages@meta
Fixed in dpkg@1.20.10 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
openssl OS Command Injection CVE-2022-2068 SNYK-DEBIAN11-OPENSSL-2933518 CVSS 9.8 CRITICAL openssl/libssl1.1@1.1.1n-0+deb11u1, ca-certificates@20210119 and others Fixed in openssl@1.1.1n-0+deb11u3 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
openssl OS Command Injection CVE-2022-1292 CVSS 9.8 CRITICAL openssl/libssl1.1@1.1.1n-0+deb11u1, ca-certificates@20210119 and others Fixed in openssl@1.1.1n-0+deb11u2 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
zlib/zlib1g Out-of-bounds Write CVE-2022-37434 SNYK-DEBIAN11-ZLIB-2976151 CVSS 9.8 CRITICAL meta-common-packages@meta
Fixed in zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
pcre2/libpcre2-8-0 Out-of-bounds Read CVE-2022-1586 SNYK-DEBIAN11-PCRE2-2808704 CVSS 9.1 CRITICAL meta-common-packages@meta
Fixed in pcre2/libpcre2-8-0@10.36-2+deb11u1 Introduced by your base image (mcr.microsoft.com/dotnet/aspnet:6.0) NO KNOWN EXPLOIT
Steps to Reproduce
Validate the versions of dependencies described above that are used in the mcr.microsoft.com/dotnet/aspnet:6.0 docker image and validate the vulnerabilities referenced to that version of dependency. Update dependency to the one not vulnerable recommended.
Output of
docker versionmcr.microsoft.com/dotnet/aspnet:6.0