search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.92k stars 405 forks source link

debian stable-slim base image used in docker image fleetdm/fleetctl contains critical vulnerability in libssl1.1 #20571

Open efasel opened 1 month ago

efasel commented 1 month ago

Fleet version: v4.54.0

Web browser and operating system: –

πŸ’₯ Β Actual behavior

result of trivy scanner:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Library  β”‚ Vulnerability β”‚ Severity β”‚ Status β”‚ Installed Version β”‚ Fixed Version β”‚                         Title                         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ libssl1.1 β”‚ CVE-2022-1292 β”‚ CRITICAL β”‚ fixed  β”‚ 1.1.1n-0+deb11u4  β”‚ 1.1.1o-1      β”‚ openssl: c_rehash script allows command injection     β”‚
β”‚           β”‚               β”‚          β”‚        β”‚                   β”‚               β”‚ https://avd.aquasec.com/nvd/cve-2022-1292             β”‚
β”‚           β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€          β”‚        β”‚                   β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚           β”‚ CVE-2022-2068 β”‚          β”‚        β”‚                   β”‚ 3.0.4-1       β”‚ openssl: the c_rehash script allows command injection β”‚
β”‚           β”‚               β”‚          β”‚        β”‚                   β”‚               β”‚ https://avd.aquasec.com/nvd/cve-2022-2068             β”‚
β”‚           β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€          β”‚        β”‚                   β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚           β”‚ CVE-2022-2274 β”‚          β”‚        β”‚                   β”‚ 3.0.4-2       β”‚ openssl: AVX-512-specific heap buffer overflow        β”‚
β”‚           β”‚               β”‚          β”‚        β”‚                   β”‚               β”‚ https://avd.aquasec.com/nvd/cve-2022-2274             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ§‘β€πŸ’» Β Steps to reproduce

–

πŸ•―οΈ More info (optional)

update to latest debian stable-slim image: https://hub.docker.com/_/debian/tags?page=&page_size=&ordering=&name=stable-slim

QA notes

To test these changes you will need to build fleetdm/wix, fleetdm/bomutils and fleetdm/fleetctl locally (which should overwrite the remote tags):

The following should be tested on a macOS AND a Linux host (with Docker installed):

make wix-docker
make bomutils-docker
make fleetctl-docker

Then test generating all the pkg|msi|deb|rpm packages both with the fleetctl executable (as usual) and with the fleetdm/fleetctl docker image.

xpkoala commented 1 month ago

Thank you for the ticket on this @efasel. I've alerted our team and we will be assessing asap.

lukeheath commented 1 month ago

@efasel Thank you for calling this out for us! We'll have a fix merged shortly.

@sharon-fdm We have an open PR to update the base image that is building for everything except PKG. @rfairburn started on this but is out for a couple of weeks, so I'm sending this to EO for triage and to get it over the finish line. Since this is a security issue, I'm escalating to a P2 to expedite.

valentinpezon-primo commented 4 weeks ago

Hi !

Since we have Vanta in our system, the docker image that we store on our cloud gives us a lot of VULN alerts

openSSL is one of them but they are many more (see screen)

It will block us in our SOC2 certification if we are not able to get the most critial one fixed

Is it possible to tackle them aswell ?

Thanks πŸ™

Screenshot 2024-08-07 at 11 17 22

lukeheath commented 4 weeks ago

@valentinpezon-primo Thanks for the heads up!

@sharon-fdm @lucasmrod Can we tackle the additional vulns reported by @valentinpezon-primo as part of this bug, or should we open a separate bug ticket?

lucasmrod commented 4 weeks ago

UPDATE:

So, we need to update the base images of both fleetdm/bomutils and fleetdm/fleetctl. (This is why we increased the estimation from 3 to 5.)

lucasmrod commented 2 weeks ago

@xpkoala Added QA notes.