search

jpillora / chisel

A fast TCP/UDP tunnel over HTTP
MIT License
13.6k stars 1.4k forks source link

Docker base image has open vulnerabilities #359

Open seandgrimes opened 2 years ago

seandgrimes commented 2 years ago

The version of Alpine that was incorporated into the latest Docker image for Chisel has several known vulnerabilities associated with it. I've already confirmed that rebuilding the image pulls in the latest version of Alpine that addresses these, but I was wondering if there are any plans to build and publish a new version of the image for Chisel 1.7.7.

Here are the scan results for the latest image for reference:

➜ chisel git:(master) docker scan jpillora/chisel

Testing jpillora/chisel...

✗ Low severity vulnerability found in busybox/busybox Description: ALPINE-13661 Info: https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2606932 Introduced through: busybox/busybox@1.34.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r18, ca-certificates/ca-certificates@20211220-r0, busybox/ssl_client@1.34.1-r3 From: busybox/busybox@1.34.1-r3 From: alpine-baselayout/alpine-baselayout@3.2.0-r18 > busybox/busybox@1.34.1-r3 From: ca-certificates/ca-certificates@20211220-r0 > busybox/busybox@1.34.1-r3 and 1 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.34.1-r5

✗ High severity vulnerability found in zlib/zlib Description: Out-of-bounds Write Info: https://snyk.io/vuln/SNYK-ALPINE315-ZLIB-2434420 Introduced through: zlib/zlib@1.2.11-r3, apk-tools/apk-tools@2.12.7-r3 From: zlib/zlib@1.2.11-r3 From: apk-tools/apk-tools@2.12.7-r3 > zlib/zlib@1.2.11-r3 Image layer: Introduced by your base image (alpine:3.15.0) Fixed in: 1.2.12-r0

✗ High severity vulnerability found in openssl/libcrypto1.1 Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-2426331 Introduced through: openssl/libcrypto1.1@1.1.1l-r7, openssl/libssl1.1@1.1.1l-r7, apk-tools/apk-tools@2.12.7-r3, libretls/libretls@3.3.4-r2, ca-certificates/ca-certificates@20211220-r0 From: openssl/libcrypto1.1@1.1.1l-r7 From: openssl/libssl1.1@1.1.1l-r7 > openssl/libcrypto1.1@1.1.1l-r7 From: apk-tools/apk-tools@2.12.7-r3 > openssl/libcrypto1.1@1.1.1l-r7 and 5 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.1.1n-r0

✗ High severity vulnerability found in libretls/libretls Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://snyk.io/vuln/SNYK-ALPINE315-LIBRETLS-2428776 Introduced through: libretls/libretls@3.3.4-r2, busybox/ssl_client@1.34.1-r3 From: libretls/libretls@3.3.4-r2 From: busybox/ssl_client@1.34.1-r3 > libretls/libretls@3.3.4-r2 Image layer: Introduced by your base image (alpine:3.15.0) Fixed in: 3.3.4-r3

✗ Critical severity vulnerability found in busybox/busybox Description: CVE-2022-28391 Info: https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2440607 Introduced through: busybox/busybox@1.34.1-r3, alpine-baselayout/alpine-baselayout@3.2.0-r18, ca-certificates/ca-certificates@20211220-r0, busybox/ssl_client@1.34.1-r3 From: busybox/busybox@1.34.1-r3 From: alpine-baselayout/alpine-baselayout@3.2.0-r18 > busybox/busybox@1.34.1-r3 From: ca-certificates/ca-certificates@20211220-r0 > busybox/busybox@1.34.1-r3 and 1 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.34.1-r5

Package manager: apk Project name: docker-image|jpillora/chisel Docker image: jpillora/chisel Platform: linux/amd64 Base image: alpine:3.15.0

Tested 15 dependencies for known vulnerabilities, found 5 vulnerabilities.

Base Image Vulnerabilities Severity alpine:3.15.0 5 1 critical, 3 high, 0 medium, 1 low

Recommendations for base image upgrade:

Minor upgrades Base Image Vulnerabilities Severity alpine:latest 0 0 critical, 0 high, 0 medium, 0 low

jpillora commented 2 years ago

Don’t think they’re exploitable since Go is the entry point, but open to evidence otherwise

On Tue, 17 May 2022 at 3:39 am Sean Grimes @.***> wrote:

The version of Alpine that was incorporated into the latest Docker image for Chisel has several known vulnerabilities associated with it. I've already confirmed that rebuilding the image pulls in the latest version of Alpine that addresses these, but I was wondering if there are any plans to build and publish a new version of the image for Chisel 1.7.7.

Here are the scan results for the latest image for reference:

➜ chisel git:(master) docker scan jpillora/chisel

Testing jpillora/chisel...

✗ Low severity vulnerability found in busybox/busybox Description: ALPINE-13661 Info: https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2606932 Introduced through: @., @., @., @. From: @. From: @. > @. From: @. > @.*** and 1 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.34.1-r5

✗ High severity vulnerability found in zlib/zlib Description: Out-of-bounds Write Info: https://snyk.io/vuln/SNYK-ALPINE315-ZLIB-2434420 Introduced through: @., @. From: @. From: @. > @.*** Image layer: Introduced by your base image (alpine:3.15.0) Fixed in: 1.2.12-r0

✗ High severity vulnerability found in openssl/libcrypto1.1 Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://snyk.io/vuln/SNYK-ALPINE315-OPENSSL-2426331 Introduced through: @., @., @., @., @. From: @. From: @. > @. From: @. > @. and 5 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.1.1n-r0

✗ High severity vulnerability found in libretls/libretls Description: Loop with Unreachable Exit Condition ('Infinite Loop') Info: https://snyk.io/vuln/SNYK-ALPINE315-LIBRETLS-2428776 Introduced through: @., @. From: @. From: @. > @.*** Image layer: Introduced by your base image (alpine:3.15.0) Fixed in: 3.3.4-r3

✗ Critical severity vulnerability found in busybox/busybox Description: CVE-2022-28391 https://github.com/advisories/GHSA-h8c3-8522-vxc6 Info: https://snyk.io/vuln/SNYK-ALPINE315-BUSYBOX-2440607 Introduced through: @., @., @., @. From: @. From: @. > @. From: @. > @.*** and 1 more... Image layer: 'apk add --no-cache ca-certificates' Fixed in: 1.34.1-r5

Package manager: apk Project name: docker-image|jpillora/chisel Docker image: jpillora/chisel Platform: linux/amd64 Base image: alpine:3.15.0

Tested 15 dependencies for known vulnerabilities, found 5 vulnerabilities.

Base Image Vulnerabilities Severity alpine:3.15.0 5 1 critical, 3 high, 0 medium, 1 low

Recommendations for base image upgrade:

Minor upgrades Base Image Vulnerabilities Severity alpine:latest 0 0 critical, 0 high, 0 medium, 0 low

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/359, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X43T3IOD4YNM2LBUC3TVKKB3TANCNFSM5WCHMO2A . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Masterxilo commented 2 years ago

any reason not to set up a github action to build it or have dockerhub build it?

jpillora commented 2 years ago

chisel uses automatic docker hub builds https://hub.docker.com/r/jpillora/chisel, if I recall, on tag push it triggers a docker hub release

so it would be easy to push a new image - I am just very short for time at the moment :(

genofire commented 1 year ago

You already disable libc (with CGO_ENABLED).

Why not disable any distro (alpine or so). And put it into scratch container (so only binary vulnerabilities on compiletime (golang and deps) metter):

see #91 

# build stage
FROM golang:alpine AS build-env
LABEL maintainer="dev@jpillora.com"
RUN apk update
RUN apk add git
ENV CGO_ENABLED 0
ADD . /src
WORKDIR /src
RUN go build \
    -ldflags "-X github.com/jpillora/chisel/share.BuildVersion=$(git describe --abbrev=0 --tags)" \
    -o chisel

# container stage
FROM scratch
WORKDIR /app
COPY --from=build-env ["/etc/ssl/cert.pem", "/etc/ssl/certs/ca-certificates.crt"]
COPY --from=build-env /src/chisel /app/chisel
ENTRYPOINT ["/app/chisel"]