latest version 4.3 has some critical vulnerability

[SumitTaneja]

Describe the bug This docker image is with the latest version 4.2/4.33 has below mentioned vulnerability: The “OS_VULNERABILITY” finding on the google.compute.Instance named nominatim was created because the system detected a vulnerability in the Keccak XKCP SHA-3 reference implementation. This vulnerability allows attackers to execute arbitrary code or eliminate expected cryptographic properties.

To Reproduce Steps to reproduce the behavior:

1. install this docker image in the VM in any GCP project
2. GCP will be showing the critical vulnerability with this image.

Expected behavior No vulnerability in the image mediagis/nominatim:4.3

Screenshots & Logs The “OS_VULNERABILITY” finding on the google.compute.Instance named nominatim was created because the system detected a vulnerability in the Keccak XKCP SHA-3 reference implementation. This vulnerability allows attackers to execute arbitrary code or eliminate expected cryptographic properties.

Desktop / Server (please complete the following information):

• OS & Version: mediagis/nominatim:4.3
• Docker Version: mediagis/nominatim:4.3
• Nominatim Version: mediagis/nominatim:4.3

Additional context Add any other context about the problem here.

[mtmail]

Looks like CVE-2022-37454. Operating system and languages were patched patch over a year ago (https://news.ycombinator.com/item?id=35050307). I don't see how somebody could trigger this with a 4GB file, the webserver doesn't allow uploads.

Can you list which version of Python and PHP gets installed? (php --version, python3 --version)

[mtmail]

Desktop / Server (please complete the following information):

    OS & Version: mediagis/nominatim:4.3
    Docker Version: mediagis/nominatim:4.3

Please provide correct version numbers.

[SumitTaneja]

Did not understand completely, so we executed the docker image in the VM. we did not install any Python and Php to that VM.

[mtmail]

Can you give more information how the scanning works? It's not clear to me what "the system" is. Is it https://cloud.google.com/artifact-analysis/docs/os-scanning-automatically#artifact-registry and does the gcloud CLI output more details.

Which VM are you using? Is there more information about the type, version, base image?

[SumitTaneja]

Its Google Cloud Machine: c2d-standard-4 Type: AMD Milan CPU platform Image: cos-stable-101-17162-127-5 Container Image: mediagis/nominatim:4.3

And this is scanned by google in the security command center

OS vulnerability What was detected

AI Generated Summary The “OS_VULNERABILITY” finding on the google.compute.Instance named nominatim (//compute.googleapis.com/projects/xxx/zones/europe-west3-a/instances/xxx) was created because the VM Manager in Security Command Center identified a vulnerability in the Keccak XKCP SHA-3 reference implementation. This vulnerability allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

The following processes and libraries have been identified as anomalous:

Keccak XKCP SHA-3 reference implementation This finding poses a high risk because it allows attackers to execute arbitrary code or eliminate expected cryptographic properties.

To fix this finding, you should upgrade the Keccak XKCP SHA-3 reference implementation to the latest version.

[mtmail]

The base image cos-stable-101-17162-127-5 was released Feb 06, 2023. CVE-2022-37454 was addressed in cos-101-17162-210-44 (June 29, 2023 - https://cloud.google.com/container-optimized-os/docs/release-notes/m101) but so were 10 other CVEs. Do you have VMs running newer base images?

[SumitTaneja]

VM was created on Feb 14, 2023 and that time latest base image was: cos-stable-101-17162-127-5 And VM is running on this base image having the OS vulnerability still.

[mtmail]

So the VM base image is 9 months old, Nominatim was installed in June and Google Security Command Center added an alert recently (Dec/5th). I think the next step would be to test if the alert is shown when using a newer VM base image. Installing Nominatim for a small country (Luxembourg, Liechtenstein, Monaco) is fast. Trying multiple Nominatim Docker tweaks and patches back and forth takes longer.

[leonardehrenfried]

I'm closing this. Please test with the newest version of the image and re-open if it's still an issue.