Open redbmk opened 1 year ago
I tried creating a new docker image with root access to play around with it (e.g. install pip
to do a pip freeze
and see what's in there). One thing I noticed when running apt update
was that a bunch of packages, including many of the ones that are listed as vulnerable (e.g. python3-oauthlib
), say they're no longer needed:
The following packages were automatically installed and are no longer required:
...a bunch more lines
plymouth-theme-ubuntu-text poppler-data poppler-utils ppp pptp-linux pulseaudio pulseaudio-module-bluetooth pulseaudio-utils python3-apport python3-aptdaemon python3-blinker python3-cairo python3-cffi-backend
python3-cryptography python3-cups python3-cupshelpers python3-defer python3-distro python3-entrypoints python3-httplib2 python3-ibus-1.0 python3-jwt python3-keyring python3-launchpadlib python3-lazr.restfulclient
python3-lazr.uri python3-ldb python3-macaroonbakery python3-nacl python3-oauthlib python3-problem-report python3-protobuf python3-psutil python3-pymacaroons python3-rfc3339 python3-secretstorage python3-simplejson
python3-systemd python3-talloc python3-tz python3-wadllib python3-xdg rtkit rygel samba-libs sane-utils session-migration sgml-base sgml-data switcheroo-control system-config-printer-udev tango-icon-theme thunar
thunar-data thunar-volman tumbler tumbler-common ubuntu-touch-sounds ubuntu-wallpapers ubuntu-wallpapers-focal udev udisks2 unity-greeter unity-gtk-module-common unity-gtk2-module unity-gtk3-module unity-settings-daemon
unity-settings-daemon-schemas unzip update-inetd upower usb-modeswitch usb-modeswitch-data usb.ids usbmuxd wamerican whoopsie-preferences wireless-regdb wpasupplicant x11-apps x11-session-utils x11-xserver-utils
xdg-dbus-proxy xfce4-appfinder xfce4-notifyd xfce4-pulseaudio-plugin xfce4-session xfce4-settings xfdesktop4 xfdesktop4-data xfonts-base xfonts-encodings xfonts-scalable xfonts-utils xfwm4 xiccd xinit xinput xml-core
xorg xorg-docs-core xserver-common xserver-xephyr xserver-xorg xserver-xorg-core xserver-xorg-input-all xserver-xorg-input-libinput xserver-xorg-input-wacom xserver-xorg-legacy xserver-xorg-video-all
xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-fbdev xserver-xorg-video-intel xserver-xorg-video-nouveau xserver-xorg-video-qxl xserver-xorg-video-radeon xserver-xorg-video-vesa
xserver-xorg-video-vmware xwayland yaru-theme-gnome-shell yelp-xsl zenity-common
Use 'apt autoremove' to remove them.
At least from an audit perspective, this seems to get rid of all but 3 of the fixable ones:
FROM kasmweb/firefox:1.13.1-rolling
USER root
RUN apt-get update && apt-get autoremove -y
USER 1000
I tried updating the python3-{package}
packages (certifi, requests, and urllib3), but it didn't help. I think we would need to use a newer base image of ubuntu to get the latest packages
❯ docker scout cves temp --only-fixed
INFO New version 0.22.3 available (installed version is 0.20.0)
✓ SBOM of image already cached, 979 packages indexed
✗ Detected 3 vulnerable packages with a total of 5 vulnerabilities
0C 1H 1M 0L urllib3 1.25.8
pkg:pypi/urllib3@1.25.8
✗ HIGH CVE-2021-33503 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2021-33503
Affected range : >=1.25.4
: <1.26.5
Fixed version : 1.26.5
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ MEDIUM CVE-2020-26137 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
https://scout.docker.com/v/CVE-2020-26137
Affected range : <1.25.9
Fixed version : 1.25.9
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0C 1H 1M 0L certifi 2019.11.28
pkg:pypi/certifi@2019.11.28
✗ HIGH CVE-2023-37920 [Insufficient Verification of Data Authenticity]
https://scout.docker.com/v/CVE-2023-37920
Affected range : >=2015.4.28
: <2023.7.22
Fixed version : 2023.7.22
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
✗ MEDIUM CVE-2022-23491 [Insufficient Verification of Data Authenticity]
https://scout.docker.com/v/CVE-2022-23491
Affected range : >=2017.11.05
: <2022.12.07
Fixed version : 2022.12.07
CVSS Score : 6.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
0C 0H 1M 0L requests 2.22.0
pkg:pypi/requests@2.22.0
✗ MEDIUM CVE-2023-32681 [Exposure of Sensitive Information to an Unauthorized Actor]
https://scout.docker.com/v/CVE-2023-32681
Affected range : >=2.3.0
: <2.31.0
Fixed version : 2.31.0
CVSS Score : 6.1
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
5 vulnerabilities found in 3 packages
LOW 0
MEDIUM 3
HIGH 2
CRITICAL 0
I haven't tested this out yet though, so I'm not sure how accurate that is that they're no longer required. There are a few things mentioning xserver, which seems like it might be needed for kasm.
We pin our release tags, so just like you saw you would want to use the rolling or even the develop
tags if you are looking for the newest system level packages.
As for deps for single app images we rip out some stuff after the installation is complete here: https://github.com/kasmtech/workspaces-images/blob/develop/dockerfile-kasm-firefox#L22
How Ubuntu meta packages work that means the system thinks those packages are not needed anymore but definitely are.
In general once a single app image is cut people are not really supposed to be playing around with it, building it from core up will always be your best bet.
OK yeah the image won't boot up after that.
Doing a much less invasive update of packages, here the container still seems to work. I tried to just update vulnerable python packages to a non-vulnerable version if it's a non-breaking change:
FROM kasmweb/firefox:1.13.1-rolling
USER root
RUN apt-get update && \
apt-get install -y python3-pip && pip install --upgrade pip && apt-get remove -y python3-pip
RUN pip install --upgrade setuptools wheel certifi
RUN apt-get remove -y \
python3-pip python3-wheel python3-setuptools python3-certifi \
python3-oauthlib python3-requests python3-psutil python3-urllib3 python3-protobuf
RUN cp $(python3 -c 'import certifi; print(certifi.where())') /etc/ssl/certs/ca-certificates.crt
RUN pip install --upgrade oauthlib~=3.2 requests~=2.31 psutil~=5.9 urllib3~=1.26 protobuf~=3.20
USER 1000
And then testing with this, I'm still able to boot up the container and see firefox without any issues
❯ docker run -it --rm -e VNCOPTIONS='-disableBasicAuth' -p 6901:6901 temp
In general once a single app image is cut people are not really supposed to be playing around with it, building it from core up will always be your best bet.
Where are all those packages installed? I would think for anything using python it would make sense to just install python
and pip
, and then install everything from there using pip
or some package manager like pipenv
or poetry
, etc.
To fix the cryptography issue, whatever's using it would need to deal with the breaking changes, but I haven't figured out where the python code is that's using it. Maybe there's something installed via apt-get that relies on system versions of python3-*
?
They would be deps and would be ingested using apt. You can look over the core image here: https://github.com/kasmtech/workspaces-core-images/blob/develop/dockerfile-kasm-core This would be based on Focal.
If you are actually trying to pass a security audit using Ubuntu is pointless, you would want to base the image off the Alpine 3.18 Baseimage: https://github.com/kasmtech/workspaces-images/blob/develop/src/alpine/install/firefox/install_firefox.sh Or Fedora 38 if you need GLIBC
During a security audit on some images we're using, some packages got flagged as high and critical. I'm looking specifically at
kasmweb/firefox:1.13.1
but a lot are coming from the base,core-ubuntu-focal
, so this likely applies to quite a few images.Most of these are fixed in the
-rolling
version, (especially CVEs that have a fix) but there are still a few left over that seem to be coming from some python packages. I haven't been able to track down where they're getting installed.(just showing the overview for brevity)
and a little more detail on which package have issues: