lucee / lucee-dockerfiles

Official Lucee Dockerfiles for Docker Hub build images
https://hub.docker.com/u/lucee/
MIT License
86 stars 50 forks source link

Need Image Rebuild to Patch Vulnerabilities #64

Closed jamiejackson closed 1 year ago

jamiejackson commented 4 years ago

I think the SOP is to do periodic matrix rebuilds to pick up patches from base images.

Latest:

image

Name Package Severity Description
CVE-2020-10878 perl:5.28.1-6 HIGH Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-8492 python2.7:2.7.16-2+deb10u1 HIGH Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2018-12886 gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVE-2020-1751 glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2019-20367 libbsd:0.9.1-2 MEDIUM nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVE-2019-12290 libidn2:2.0.5-1+deb10u1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVE-2019-13115 libssh2:1.8.0-2.1 MEDIUM In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
CVE-2019-20454 pcre2:10.32-5 MEDIUM An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVE-2020-14155 pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2020-12723 perl:5.28.1-6 MEDIUM regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2020-10543 perl:5.28.1-6 MEDIUM Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-11655 sqlite3:3.27.2-3 MEDIUM SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2019-16168 sqlite3:3.27.2-3 MEDIUM In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVE-2019-19603 sqlite3:3.27.2-3 MEDIUM SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVE-2019-20218 sqlite3:3.27.2-3 MEDIUM selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
justincarter commented 4 years ago

Which version/tag of the Lucee Docker images are you looking for a rebuild of?

Sometimes rebuilding an image isn't appropriate if some underlying versions have changed that could affect compatibility, particularly when the base image changes OS (Debian) versions. If we rebuilt using the same exact tag then people who are using the Lucee images with that tag could find their application breaks next time they go to build.

I am happy to do a rebuild for recent versions where compatibility isn't an issue though.

Do you know if any of the CVE's listed are fixable via using a newer Tomcat base image specifically, or would an apt-get update fix the issues as well? It's usually a good idea to update packages in your own Dockerfile for those reasons, but if there's a base image issue then I'm happy to help however I can.

On Wed, 15 Jul 2020 at 02:26, Jamie Jackson notifications@github.com wrote:

I think the SOP is to do periodic matrix rebuilds to pick up patches from base images.

Latest:

[image: image] https://user-images.githubusercontent.com/479475/87449435-35cece00-c5cb-11ea-88d3-1485f0e29e91.png Name Package Severity Description CVE-2020-10878 perl:5.28.1-6 HIGH Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. CVE-2020-8492 python2.7:2.7.16-2+deb10u1 HIGH Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-12886 gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. CVE-2020-1751 glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. CVE-2019-20367 libbsd:0.9.1-2 MEDIUM nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). CVE-2019-12290 libidn2:2.0.5-1+deb10u1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. CVE-2019-13115 libssh2:1.8.0-2.1 MEDIUM In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. CVE-2019-20454 pcre2:10.32-5 MEDIUM An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVE-2020-14155 pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. CVE-2020-12723 perl:5.28.1-6 MEDIUM regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. CVE-2020-10543 perl:5.28.1-6 MEDIUM Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. CVE-2020-11655 sqlite3:3.27.2-3 MEDIUM SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. CVE-2019-16168 sqlite3:3.27.2-3 MEDIUM In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." CVE-2019-19603 sqlite3:3.27.2-3 MEDIUM SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. CVE-2019-20218 sqlite3:3.27.2-3 MEDIUM selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lucee/lucee-dockerfiles/issues/64, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACVQDLJXYT77MY7W4NHKNDR3SBMNANCNFSM4OZV4C4A .

jamiejackson commented 4 years ago

I happen to be on lucee_5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk

Name Package Severity Description
CVE-2019-5482 curl:7.64.0-4 HIGH Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2020-10878 perl:5.28.1-6 HIGH Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-8492 python2.7:2.7.16-2+deb10u1 HIGH Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-3810 apt:1.8.2 MEDIUM Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
CVE-2019-5188 e2fsprogs:1.44.5-1+deb10u2 MEDIUM A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
CVE-2018-12886 gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVE-2020-5260 git:1:2.20.1-2+deb10u1 MEDIUM Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
CVE-2020-11008 git:1:2.20.1-2+deb10u1 MEDIUM Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where some credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.
CVE-2020-1751 glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2019-20367 libbsd:0.9.1-2 MEDIUM nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVE-2019-12290 libidn2:2.0.5-1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVE-2019-13115 libssh2:1.8.0-2.1 MEDIUM In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
CVE-2020-12243 openldap:2.4.47+dfsg-3+deb10u1 MEDIUM In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).
CVE-2019-20454 pcre2:10.32-5 MEDIUM An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVE-2020-14155 pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2020-10543 perl:5.28.1-6 MEDIUM Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-12723 perl:5.28.1-6 MEDIUM regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2019-19603 sqlite3:3.27.2-3 MEDIUM SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVE-2019-20218 sqlite3:3.27.2-3 MEDIUM selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
CVE-2020-11655 sqlite3:3.27.2-3 MEDIUM SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2019-16168 sqlite3:3.27.2-3 MEDIUM In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

But latest (lucee_5.3.6.61-tomcat9.0-jdk11-openjdk) has issues, too:

Name Package Severity Description
CVE-2020-10878 perl:5.28.1-6 HIGH Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-8492 python2.7:2.7.16-2+deb10u1 HIGH Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2018-12886 gcc-8:8.3.0-6 MEDIUM stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.
CVE-2020-1751 glibc:2.28-10 MEDIUM An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVE-2019-20367 libbsd:0.9.1-2 MEDIUM nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVE-2019-12290 libidn2:2.0.5-1+deb10u1 MEDIUM GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVE-2019-13115 libssh2:1.8.0-2.1 MEDIUM In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
CVE-2019-20454 pcre2:10.32-5 MEDIUM An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
CVE-2020-14155 pcre3:2:8.39-12 MEDIUM libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
CVE-2020-12723 perl:5.28.1-6 MEDIUM regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2020-10543 perl:5.28.1-6 MEDIUM Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-11655 sqlite3:3.27.2-3 MEDIUM SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2019-16168 sqlite3:3.27.2-3 MEDIUM In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
CVE-2019-19603 sqlite3:3.27.2-3 MEDIUM SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
CVE-2019-20218 sqlite3:3.27.2-3 MEDIUM selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.
jamiejackson commented 4 years ago

If we rebuilt using the same exact tag then people who are using the Lucee images with that tag could find their application breaks next time they go to build.

I think I disagree. Isn't that what pinning to digests is for? https://support.circleci.com/hc/en-us/articles/115015742147-Pinning-a-Docker-Image-to-a-Specific-Version

I'm probably wrong though. I guess what I'm coming to find is that some vendors only build once per tag, which feels wrong to me, but that's the way things seem to be in the wild.

I'd always assumed assumed that best practice would be:

jamiejackson commented 4 years ago

Just some notes (maybe just to myself):

Lucee Latest has these HIGH vulnerabilities:

But they are still vulnerable way up at the Debian Buster (10.4) base image. So no Lucee image rebuild is going to fix them, anyway.

In addition to those two vulnerabilities, the version I happen to be on (lucee_5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk) also has:

Which was fixed in Buster.

jamiejackson commented 1 year ago

For posterity: