Open ethernoy opened 3 years ago
how can we reproduce the warning?
Jaeger does not use busybox directly, it might be coming included in the alpine image
how can we reproduce the warning?
Jaeger does not use busybox directly, it might be coming included in the alpine image
Hi, I used the project aquasecurity/trivy to scan jaeger-agent 1.22.0, jaeger-collector 1.22.0 and jaeger-query 1.22.0. Below are the result of scanning jaeger-agent 1.22.0:
ethernsu@ethernsu-virtual-machine:~/.cache/trivy/db$ trivy image --skip-update jaegertracing/jaeger-agent:1.22.0
2021-05-26T11:26:35.742+0800 INFO Detected OS: alpine
2021-05-26T11:26:35.742+0800 INFO Detecting Alpine vulnerabilities...
2021-05-26T11:26:35.742+0800 INFO Number of PL dependency files: 1
2021-05-26T11:26:35.742+0800 INFO Detecting gobinary vulnerabilities...
jaegertracing/jaeger-agent:1.22.0 (alpine 3.12.3)
=================================================
Total: 13 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 7, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools | CVE-2021-30139 | HIGH | 2.10.5-r1 | 2.10.6-r0 | In Alpine Linux apk-tools |
| | | | | | before 2.12.5, the tarball |
| | | | | | parser allows a buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| busybox | CVE-2021-28831 | | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation |
| | | | | | fault via malformed gzip data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 |
+--------------+------------------+ +-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-23840 | | 1.1.1i-r0 | 1.1.1j-r0 | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check |
| | | | | | bypass with X509_V_FLAG_X509_STRICT |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference |
| | | | | | in signature_algorithms processing |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+ + +---------------------------------------+
| libssl1.1 | CVE-2021-23840 | HIGH | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check |
| | | | | | bypass with X509_V_FLAG_X509_STRICT |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference |
| | | | | | in signature_algorithms processing |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation |
| | | | | | fault via malformed gzip data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
go/bin/agent-linux
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
If jaeget-agent is going to be updated to use alpine instead of busybox in the future, I think this issue should be gone by then.
I believe we'll get rid of those vulnerabilities as soon as we rebuild the containers as part of 1.23, which should get an up-to-date version of Alpine. Perhaps we could consider:
I recently came across this project: https://github.com/GoogleContainerTools/distroless Do you think it will be good idea to use this as base image ? I think having as minimal tools as possible in base image will help in reducing the possible CVEs in future.
@Ashmita152 not sure if would be helpful, since it seems to contain no tools, in which case we might as well just use scratch
, which we used to do in the past. But people wanted to have some basic set of tools in the container.
@Ashmita152 not sure if would be helpful, since it seems to contain no tools, in which case we might as well just use
scratch
, which we used to do in the past. But people wanted to have some basic set of tools in the container.
Will you consider using Alpine as base image?
Hi @ethernoy
Sorry, not sure if I get the question properly.
We currently use alpine as the base image for all jaeger images. alpine images has busybox as the one of the default packages.
Here are the list of default packages installed in alpine image.
❯ docker run --entrypoint=tail alpine:3.13 -f /dev/null
❯ docker exec -it 14bbacd94c9b /bin/sh
/ # apk info
musl
busybox
alpine-baselayout
alpine-keys
libcrypto1.1
libssl1.1
ca-certificates-bundle
libtls-standalone
ssl_client
zlib
apk-tools
scanelf
musl-utils
libc-utils
/ #
Hi @ethernoy
Sorry, not sure if I get the question properly.
We currently use alpine as the base image for all jaeger images. alpine images has busybox as the one of the default packages.
Here are the list of default packages installed in alpine image.
❯ docker run --entrypoint=tail alpine:3.13 -f /dev/null ❯ docker exec -it 14bbacd94c9b /bin/sh / # apk info musl busybox alpine-baselayout alpine-keys libcrypto1.1 libssl1.1 ca-certificates-bundle libtls-standalone ssl_client zlib apk-tools scanelf musl-utils libc-utils / #
Oh sorry, just ignore my last question :( I just forgot alpine was already the base image of jaeger components
Requirement - what kind of business use case are you trying to solve?
Reduce the vulnerabilities reported by container image scanning tool
Problem - what in Jaeger blocks you from solving the requirement?
Aqua container image scanning tool reported that there is a vulnerability CVE-2021-28831 existing in Jaeger Agent 1.22.0, Jaeger Collector 1.22.0, and Jaeger Query 1.22.0 images. Here is its description:
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
Proposal - what do you suggest to solve the problem or improve the existing situation?
Upgrade Busybox from 1.31.1-r19 to 1.31.1-r20 or newer.