keeganwitt
commented
5 months ago I believe all of these are from the base image. @tianon @yosifkit can you help with this?
Closed chekmx closed 4 months ago
keeganwitt
commented
5 months ago I believe all of these are from the base image. @tianon @yosifkit can you help with this?
yosifkit
commented
5 months ago 🤔 8.6.0 is no longer a supported version (and so is not rebuilt in official images), so it is likely to have more outdated packages over time. I'd suggest updating to 8.7 (built just a few days ago) or just doing an apt-get update && apt-get upgrade in your own image if you cannot move to the latest.
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:busterwould be rebuilt whendebian:busteris built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
To ensure that we don't push contentless image changes, we rely on periodic base image updates. Debian and Ubuntu are (mostly) on a ~30 day rebuild cycle so that base image packages are updated and that all dependent images are also rebuilt for OS packages included there.
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link
keeganwitt
commented
5 months ago At the time the ticket was opened, 8.6 was the latest. 8.7 was released the next day.
That being said, @chekmx should check whether these are still reported in the 8.7 images, as these will contain the latest security patches as has been noted.
chekmx
commented
5 months ago Having checked 8.7 I see that all the vulnerabilities listed above still exist except https://github.com/advisories/GHSA-v845-jxx5-vc9f .
Further I see the following new items CVE-2023-43804 CVE-2020-13956 CVE-2023-45803 CVE-2023-48795 CVE-2023-32732
yosifkit
commented
5 months ago Just checking Ubuntu security advisories for this new set and none of them seem to apply (I think it may be similar with some of the others as well, like nghttp2 in https://ubuntu.com/security/CVE-2023-44487). Not sure why the scanner has so many false positives.
$ docker run -it --rm gradle:8.7 bash
root@4abb89bc9161:/home/gradle# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
...
root@4abb89bc9161:/home/gradle# dpkg -l | grep -E 'urllib3|libhttp|pip|openssh|grpc'
ii openssh-client 1:8.9p1-3ubuntu0.6 amd64 secure shell (SSH) client, for secure access to remote machines
ii python3-urllib3 1.26.5-1~exp1ubuntu0.1 all HTTP library with thread-safe connection pooling for Python3python3-urllib3 is already the fixed version: 1.26.5-1~exp1ubuntu0.1 🎉 and pip isn't installedgradle zip? 😕 openssh-client is already newer (1:8.9p1-3ubuntu0.6) than the fixed version (1:8.9p1-3ubuntu0.5) 🎉 grpc package installed via apt, maybe this is also something in the gradle zip? 😕 There are some package updates available, but none of them are related to these CVEs. The updates will happen at the next base image rebuild which is likely coming very soon based on the Ubuntu image update cadence: https://github.com/docker-library/official-images/pulls?q=is%3Apr+label%3Alibrary%2Fubuntu. (though it might be delayed until 24.04 is released 🤔🤷)
root@4abb89bc9161:/home/gradle# apt update
...
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@4abb89bc9161:/home/gradle# apt list --upgradable
Listing... Done
apt/jammy-updates 2.4.12 amd64 [upgradable from: 2.4.11]
bash/jammy-updates,jammy-security 5.1-6ubuntu1.1 amd64 [upgradable from: 5.1-6ubuntu1]
bsdutils/jammy-updates,jammy-security 1:2.37.2-4ubuntu3.3 amd64 [upgradable from: 1:2.37.2-4ubuntu3]
coreutils/jammy-updates 8.32-4.1ubuntu1.2 amd64 [upgradable from: 8.32-4.1ubuntu1.1]
dpkg/jammy-updates 1.21.1ubuntu2.3 amd64 [upgradable from: 1.21.1ubuntu2.2]
libapt-pkg6.0/jammy-updates 2.4.12 amd64 [upgradable from: 2.4.11]
libblkid1/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]
libmount1/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]
libsmartcols1/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]
libuuid1/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]
mount/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]
util-linux/jammy-updates,jammy-security 2.37.2-4ubuntu3.3 amd64 [upgradable from: 2.37.2-4ubuntu3]I wasn't sure if the grpc one referred to a jar or not. there is
$ docker run --rm gradle bash -c 'find /opt/gradle -name *.jar | grep grpc'
/opt/gradle/lib/plugins/grpc-context-1.27.2.jarSince there's nothing installed by apt, I'm going to guess this comes from the Gradle zip. If so, it will be up to the Gradle team to remediate.
The HTTP Client shouldn't be showing up in your scan. The CVE says it affects versions before 4.5.13 and 5.0.3. The version included is 4.5.14.
$ docker run --rm gradle bash -c 'find /opt/gradle -name *.jar | grep httpclient'
/opt/gradle/lib/plugins/httpclient-4.5.14.jarActually, looking in grpc-context-1.27.2.jar, I don't see any compiled native files (the CVE references some C code changes), so I think this is a false positive as well.
keeganwitt
commented
4 months ago I believe we've addressed all the concerns. Reply if you think this needs re-opened.
sysdig reports the following vulnerabilities for container gradle:8.6.0-jdk*
Is it possible to remediate these?