search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.78k stars 153 forks source link

AquaSec trivy flags sysbox with runc vulnerability #444

Closed jawnsy closed 2 years ago

jawnsy commented 2 years ago

Images containing sysbox are flagged with a vulnerability in runc when scanned with trivy, which I believe is looking at the module manifest included in compiled Go programs.

I'm uncertain whether the issue affects sysbox, since sysbox-runc uses a replace rule in the go.mod, hence the actual version of runc that sysbox uses is not the same version of runc that is listed.

This is the relevant warning, which applies to all of the sysbox binaries (sysbox-fs, sysbox-runc, and sysbox-mgr):

usr/local/sbin/sysbox-runc (gobinary)
=====================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

+-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+
|              LIBRARY              | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |              FIXED VERSION               |                 TITLE                 |
+-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+
| github.com/opencontainers/runc    | CVE-2016-3697    | HIGH     | v0.0.0-00010101000000-000000000000 | v0.1.0                                   | docker: privilege escalation via      |
|                                   |                  |          |                                    |                                          | confusion of usernames and UIDs       |
|                                   |                  |          |                                    |                                          | -->avd.aquasec.com/nvd/cve-2016-3697  |
+                                   +------------------+          +                                    +------------------------------------------+---------------------------------------+
|                                   | CVE-2019-16884   |          |                                    | v1.0.0-rc8.0.20190930145003-cad42f6e0932 | runc: AppArmor/SELinux bypass         |
|                                   |                  |          |                                    |                                          | with malicious image that             |
|                                   |                  |          |                                    |                                          | specifies a volume at /proc...        |
|                                   |                  |          |                                    |                                          | -->avd.aquasec.com/nvd/cve-2019-16884 |
+                                   +------------------+          +                                    +------------------------------------------+---------------------------------------+
|                                   | CVE-2019-19921   |          |                                    | v1.0.0-rc9.0.20200122160610-2fc03cc11c77 | runc: volume mount race condition     |
|                                   |                  |          |                                    |                                          | with shared mounts leads to           |
|                                   |                  |          |                                    |                                          | information leak/integrity...         |
|                                   |                  |          |                                    |                                          | -->avd.aquasec.com/nvd/cve-2019-19921 |
+-----------------------------------+------------------+          +------------------------------------+------------------------------------------+---------------------------------------+
| github.com/opencontainers/selinux | CVE-2019-16884   |          | v1.2.2                             | v1.3.1-0.20190929122143-5215b1806f52     | runc: AppArmor/SELinux bypass         |
|                                   |                  |          |                                    |                                          | with malicious image that             |
|                                   |                  |          |                                    |                                          | specifies a volume at /proc...        |
|                                   |                  |          |                                    |                                          | -->avd.aquasec.com/nvd/cve-2019-16884 |
+-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+

To reproduce this locally, you can simply run: trivy image nestybox/sysbox-in-docker:ubuntu-focal

Full logs from a local run of trivy: ```shell-session $ trivy image nestybox/sysbox-in-docker:ubuntu-focal 2021-12-06T17:57:37.178Z INFO Detected OS: ubuntu 2021-12-06T17:57:37.178Z INFO Detecting Ubuntu vulnerabilities... 2021-12-06T17:57:37.181Z INFO Number of language-specific files: 3 2021-12-06T17:57:37.181Z INFO Detecting gobinary vulnerabilities... nestybox/sysbox-in-docker:ubuntu-focal (ubuntu 20.04) ===================================================== Total: 135 (UNKNOWN: 0, LOW: 55, MEDIUM: 72, HIGH: 8, CRITICAL: 0) +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | apt | CVE-2020-27350 | MEDIUM | 2.0.2ubuntu0.1 | 2.0.2ubuntu0.2 | apt: integer overflows and underflows | | | | | | | while parsing .deb packages | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 | +----------------------+ + + + + + | apt-transport-https | | | | | | | | | | | | | | | | | | | | +----------------------+ + + + + + | apt-utils | | | | | | | | | | | | | | | | | | | | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | bash | CVE-2019-18276 | LOW | 5.0-6ubuntu1.1 | | bash: when effective UID is not | | | | | | | equal to its real UID the... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3ubuntu2 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | | | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | curl | CVE-2020-8285 | MEDIUM | 7.68.0-1ubuntu2.2 | 7.68.0-1ubuntu2.4 | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION | | | | | | | is used... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP verification | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22876 | | | 7.68.0-1ubuntu2.5 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22890 | | | | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22924 | | | 7.68.0-1ubuntu2.6 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22946 | | | 7.68.0-1ubuntu2.7 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22947 | | | | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2020-8284 | LOW | | 7.68.0-1ubuntu2.4 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22898 | | | 7.68.0-1ubuntu2.6 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | gcc-10-base | CVE-2020-13844 | MEDIUM | 10-20200411-0ubuntu1 | 10.2.0-5ubuntu1~20.04 | kernel: ARM straight-line | | | | | | | speculation vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13844 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libapt-pkg6.0 | CVE-2020-27350 | | 2.0.2ubuntu0.1 | 2.0.2ubuntu0.2 | apt: integer overflows and underflows | | | | | | | while parsing .deb packages | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libasn1-8-heimdal | CVE-2021-3671 | LOW | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libc-bin | CVE-2021-35942 | MEDIUM | 2.31-0ubuntu9.1 | | glibc: Arbitrary read in wordexp() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35942 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-38604 | | | | glibc: NULL pointer dereference in | | | | | | | helper_thread() in mq_notify.c while | | | | | | | handling NOTIFY_REMOVED messages... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-38604 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can hang | | | | | | | when invoked with the -c option | | | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2019-25013 | | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-29562 | | | | glibc: assertion failure in iconv | | | | | | | when converting invalid UCS4 | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the | | | | | | | ARMv7 memcpy function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function | | | | | | | in netgroupcache.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure in | | | | | | | ISO-2022-JP-3 gconv module | | | | | | | related to combining characters | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-33574 | | | | glibc: mq_notify does | | | | | | | not handle separately | | | | | | | allocated thread attributes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 | +----------------------+------------------+----------+ +------------------------------+-----------------------------------------+ | libc6 | CVE-2021-35942 | MEDIUM | | | glibc: Arbitrary read in wordexp() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35942 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-38604 | | | | glibc: NULL pointer dereference in | | | | | | | helper_thread() in mq_notify.c while | | | | | | | handling NOTIFY_REMOVED messages... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-38604 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can hang | | | | | | | when invoked with the -c option | | | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2019-25013 | | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-29562 | | | | glibc: assertion failure in iconv | | | | | | | when converting invalid UCS4 | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the | | | | | | | ARMv7 memcpy function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function | | | | | | | in netgroupcache.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure in | | | | | | | ISO-2022-JP-3 gconv module | | | | | | | related to combining characters | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-33574 | | | | glibc: mq_notify does | | | | | | | not handle separately | | | | | | | allocated thread attributes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libcurl4 | CVE-2020-8285 | MEDIUM | 7.68.0-1ubuntu2.2 | 7.68.0-1ubuntu2.4 | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION | | | | | | | is used... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP verification | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22876 | | | 7.68.0-1ubuntu2.5 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22890 | | | | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22924 | | | 7.68.0-1ubuntu2.6 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22946 | | | 7.68.0-1ubuntu2.7 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-22947 | | | | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2020-8284 | LOW | | 7.68.0-1ubuntu2.4 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-22898 | | | 7.68.0-1ubuntu2.6 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libgcc-s1 | CVE-2020-13844 | MEDIUM | 10-20200411-0ubuntu1 | 10.2.0-5ubuntu1~20.04 | kernel: ARM straight-line | | | | | | | speculation vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13844 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libgcrypt20 | CVE-2021-40528 | | 1.8.5-5ubuntu1 | 1.8.5-5ubuntu1.1 | libgcrypt: ElGamal implementation | | | | | | | allows plaintext recovery | | | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 | + +------------------+----------+ + +-----------------------------------------+ | | CVE-2021-33560 | LOW | | | libgcrypt: mishandles ElGamal | | | | | | | encryption because it lacks | | | | | | | exponent blinding to address a... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libgmp10 | CVE-2021-43618 | | 2:6.2.0+dfsg-4 | | gmp: Integer overflow and resultant | | | | | | | buffer overflow via crafted input | | | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libgnutls30 | CVE-2021-20231 | | 3.6.13-2ubuntu1.3 | 3.6.13-2ubuntu1.6 | gnutls: Use after free in | | | | | | | client key_share extension | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-20232 | | | | gnutls: Use after free | | | | | | | in client_send_params in | | | | | | | lib/ext/pre_shared_key.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libgssapi-krb5-2 | CVE-2021-36222 | MEDIUM | 1.17-6ubuntu4.1 | | krb5: Sending a request containing | | | | | | | PA-ENCRYPTED-CHALLENGE padata | | | | | | | element without using FAST could... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36222 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2018-5709 | LOW | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data | | | | | | | in kadmin/dbutil/dump.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libgssapi3-heimdal | CVE-2021-3671 | | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+ + + +------------------------------+ + | libhcrypto4-heimdal | | | | | | | | | | | | | | | | | | | | +----------------------+ + + +------------------------------+ + | libheimbase1-heimdal | | | | | | | | | | | | | | | | | | | | +----------------------+ + + +------------------------------+ + | libheimntlm0-heimdal | | | | | | | | | | | | | | | | | | | | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libhogweed5 | CVE-2021-20305 | MEDIUM | 3.5.1+really3.5.1-2 | 3.5.1+really3.5.1-2ubuntu0.1 | nettle: Out of bounds memory | | | | | | | access in signature verification | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20305 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3580 | | | 3.5.1+really3.5.1-2ubuntu0.2 | nettle: Remote crash | | | | | | | in RSA decryption via | | | | | | | manipulated ciphertext | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libhx509-5-heimdal | CVE-2021-3671 | LOW | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libk5crypto3 | CVE-2021-36222 | MEDIUM | 1.17-6ubuntu4.1 | | krb5: Sending a request containing | | | | | | | PA-ENCRYPTED-CHALLENGE padata | | | | | | | element without using FAST could... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36222 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2018-5709 | LOW | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data | | | | | | | in kadmin/dbutil/dump.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libkrb5-26-heimdal | CVE-2021-3671 | | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libkrb5-3 | CVE-2021-36222 | MEDIUM | 1.17-6ubuntu4.1 | | krb5: Sending a request containing | | | | | | | PA-ENCRYPTED-CHALLENGE padata | | | | | | | element without using FAST could... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36222 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2018-5709 | LOW | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data | | | | | | | in kadmin/dbutil/dump.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 | +----------------------+------------------+----------+ +------------------------------+-----------------------------------------+ | libkrb5support0 | CVE-2021-36222 | MEDIUM | | | krb5: Sending a request containing | | | | | | | PA-ENCRYPTED-CHALLENGE padata | | | | | | | element without using FAST could... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36222 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2018-5709 | LOW | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data | | | | | | | in kadmin/dbutil/dump.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libldap-2.4-2 | CVE-2020-36221 | MEDIUM | 2.4.49+dfsg-2ubuntu1.5 | 2.4.49+dfsg-2ubuntu1.6 | openldap: Integer underflow | | | | | | | in serialNumberAndIssuerCheck | | | | | | | in schema_init.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36221 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36222 | | | | openldap: Assertion failure in | | | | | | | slapd in the saslAuthzTo validation | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36222 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36223 | | | | openldap: Out-of-bounds | | | | | | | read in Values Return Filter | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36223 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36224 | | | | openldap: Invalid pointer free | | | | | | | in the saslAuthzTo processing | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36224 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36225 | | | | openldap: Double free in | | | | | | | the saslAuthzTo processing | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36225 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36226 | | | | openldap: Denial of service | | | | | | | via length miscalculation | | | | | | | in slap_parse_user | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36226 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36227 | | | | openldap: Infinite loop in slapd with | | | | | | | the cancel_extop Cancel operation | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36227 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36228 | | | | openldap: Integer underflow | | | | | | | in issuerAndThisUpdateCheck | | | | | | | in schema_init.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36228 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36229 | | | | openldap: Type confusion | | | | | | | in ad_keystring in ad.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36229 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36230 | | | | openldap: Assertion failure in | | | | | | | ber_next_element in decode.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36230 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-27212 | | | 2.4.49+dfsg-2ubuntu1.7 | openldap: Assertion | | | | | | | failure in slapd in the | | | | | | | issuerAndThisUpdateCheck function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27212 | +----------------------+------------------+ + +------------------------------+-----------------------------------------+ | libldap-common | CVE-2020-36221 | | | 2.4.49+dfsg-2ubuntu1.6 | openldap: Integer underflow | | | | | | | in serialNumberAndIssuerCheck | | | | | | | in schema_init.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36221 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36222 | | | | openldap: Assertion failure in | | | | | | | slapd in the saslAuthzTo validation | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36222 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36223 | | | | openldap: Out-of-bounds | | | | | | | read in Values Return Filter | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36223 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36224 | | | | openldap: Invalid pointer free | | | | | | | in the saslAuthzTo processing | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36224 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36225 | | | | openldap: Double free in | | | | | | | the saslAuthzTo processing | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36225 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36226 | | | | openldap: Denial of service | | | | | | | via length miscalculation | | | | | | | in slap_parse_user | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36226 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36227 | | | | openldap: Infinite loop in slapd with | | | | | | | the cancel_extop Cancel operation | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36227 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36228 | | | | openldap: Integer underflow | | | | | | | in issuerAndThisUpdateCheck | | | | | | | in schema_init.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36228 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36229 | | | | openldap: Type confusion | | | | | | | in ad_keystring in ad.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36229 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-36230 | | | | openldap: Assertion failure in | | | | | | | ber_next_element in decode.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36230 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-27212 | | | 2.4.49+dfsg-2ubuntu1.7 | openldap: Assertion | | | | | | | failure in slapd in the | | | | | | | issuerAndThisUpdateCheck function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27212 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | liblz4-1 | CVE-2021-3520 | | 1.9.2-2 | 1.9.2-2ubuntu0.20.04.1 | lz4: memory corruption | | | | | | | due to an integer overflow | | | | | | | bug caused by memmove... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3520 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libnettle7 | CVE-2021-20305 | | 3.5.1+really3.5.1-2 | 3.5.1+really3.5.1-2ubuntu0.1 | nettle: Out of bounds memory | | | | | | | access in signature verification | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20305 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3580 | | | 3.5.1+really3.5.1-2ubuntu0.2 | nettle: Remote crash | | | | | | | in RSA decryption via | | | | | | | manipulated ciphertext | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libp11-kit0 | CVE-2020-29361 | | 0.23.20-1build1 | 0.23.20-1ubuntu0.1 | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29361 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29362 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29363 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libpcre3 | CVE-2017-11164 | LOW | 2:8.39-12build1 | | pcre: OP_KETRMAX feature in the | | | | | | | match function in pcre_exec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2019-20838 | | | | pcre: Buffer over-read in JIT | | | | | | | when UTF is disabled and \X or... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-14155 | | | | pcre: Integer overflow when | | | | | | | parsing callout numeric arguments | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14155 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libroken18-heimdal | CVE-2021-3671 | | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libsqlite3-0 | CVE-2020-9794 | MEDIUM | 3.31.1-4ubuntu0.2 | | An out-of-bounds read was | | | | | | | addressed with improved bounds | | | | | | | checking. This issue is... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-9794 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2020-9849 | LOW | | | An information disclosure issue | | | | | | | was addressed with improved | | | | | | | state management. This issue... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-9849 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2020-9991 | | | | This issue was addressed | | | | | | | with improved checks. | | | | | | | This issue is fixed in... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-9991 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libssh-4 | CVE-2021-3634 | MEDIUM | 0.9.3-2ubuntu2.1 | 0.9.3-2ubuntu2.2 | libssh: possible heap-based | | | | | | | buffer overflow when rekeying | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3634 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libssl1.1 | CVE-2020-1971 | HIGH | 1.1.1f-1ubuntu2 | 1.1.1f-1ubuntu2.1 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3449 | | | 1.1.1f-1ubuntu2.3 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3711 | | | 1.1.1f-1ubuntu2.8 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1f-1ubuntu2.2 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3712 | | | 1.1.1f-1ubuntu2.8 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2021-23840 | LOW | | 1.1.1f-1ubuntu2.2 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libstdc++6 | CVE-2020-13844 | MEDIUM | 10-20200411-0ubuntu1 | 10.2.0-5ubuntu1~20.04 | kernel: ARM straight-line | | | | | | | speculation vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13844 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libsystemd0 | CVE-2021-33910 | HIGH | 245.4-4ubuntu3.2 | 245.4-4ubuntu3.10 | systemd: uncontrolled | | | | | | | allocation on the stack in | | | | | | | function unit_name_path_escape | | | | | | | leads to crash... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33910 | + +------------------+----------+ + +-----------------------------------------+ | | CVE-2020-13529 | LOW | | | systemd: DHCP FORCERENEW | | | | | | | authentication not implemented | | | | | | | can cause a system running the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libtasn1-6 | CVE-2018-1000654 | | 4.16.0-2 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | | | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libudev1 | CVE-2021-33910 | HIGH | 245.4-4ubuntu3.2 | 245.4-4ubuntu3.10 | systemd: uncontrolled | | | | | | | allocation on the stack in | | | | | | | function unit_name_path_escape | | | | | | | leads to crash... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33910 | + +------------------+----------+ + +-----------------------------------------+ | | CVE-2020-13529 | LOW | | | systemd: DHCP FORCERENEW | | | | | | | authentication not implemented | | | | | | | can cause a system running the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | libwind0-heimdal | CVE-2021-3671 | | 7.7.0+dfsg-1ubuntu1 | | samba: Null pointer dereference | | | | | | | on missing sname in TGS-REQ | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3671 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | libzstd1 | CVE-2021-24031 | MEDIUM | 1.4.4+dfsg-3 | 1.4.4+dfsg-3ubuntu0.1 | zstd: adds read permissions | | | | | | | to files while being | | | | | | | compressed or uncompressed | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24031 | + +------------------+ + + +-----------------------------------------+ | | CVE-2021-24032 | | | | zstd: Race condition | | | | | | | allows attacker to access | | | | | | | world-readable destination file | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | login | CVE-2013-4235 | LOW | 1:4.8.1-1ubuntu5.20.04 | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | openssl | CVE-2020-1971 | HIGH | 1.1.1f-1ubuntu2 | 1.1.1f-1ubuntu2.1 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3449 | | | 1.1.1f-1ubuntu2.3 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3711 | | | 1.1.1f-1ubuntu2.8 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1f-1ubuntu2.2 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +------------------------------+-----------------------------------------+ | | CVE-2021-3712 | | | 1.1.1f-1ubuntu2.8 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2021-23840 | LOW | | 1.1.1f-1ubuntu2.2 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | passwd | CVE-2013-4235 | | 1:4.8.1-1ubuntu5.20.04 | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | perl-base | CVE-2020-16156 | MEDIUM | 5.30.0-9build1 | | [Signature Verification Bypass] | | | | | | | -->avd.aquasec.com/nvd/cve-2020-16156 | + +------------------+----------+ +------------------------------+-----------------------------------------+ | | CVE-2020-10543 | LOW | | 5.30.0-9ubuntu0.2 | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10543 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of intermediate | | | | | | | language state of compiled | | | | | | | regular expression due to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10878 | + +------------------+ + + +-----------------------------------------+ | | CVE-2020-12723 | | | | perl: corruption of intermediate | | | | | | | language state of compiled | | | | | | | regular expression due to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-12723 | +----------------------+------------------+ +------------------------+------------------------------+-----------------------------------------+ | tar | CVE-2019-9923 | | 1.30+dfsg-7 | 1.30+dfsg-7ubuntu0.20.04.1 | tar: null-pointer dereference | | | | | | | in pax_decode_header in sparse.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9923 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ | wget | CVE-2021-31879 | MEDIUM | 1.20.3-1ubuntu1 | | wget: authorization header | | | | | | | disclosure on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2021-31879 | +----------------------+------------------+----------+------------------------+------------------------------+-----------------------------------------+ usr/local/sbin/sysbox-fs (gobinary) =================================== Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0) +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | github.com/opencontainers/runc | CVE-2016-3697 | HIGH | v0.0.0-00010101000000-000000000000 | v0.1.0 | docker: privilege escalation via | | | | | | | confusion of usernames and UIDs | | | | | | | -->avd.aquasec.com/nvd/cve-2016-3697 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-16884 | | | v1.0.0-rc8.0.20190930145003-cad42f6e0932 | runc: AppArmor/SELinux bypass | | | | | | | with malicious image that | | | | | | | specifies a volume at /proc... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16884 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-19921 | | | v1.0.0-rc9.0.20200122160610-2fc03cc11c77 | runc: volume mount race condition | | | | | | | with shared mounts leads to | | | | | | | information leak/integrity... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19921 | +-----------------------------------+------------------+ +------------------------------------+------------------------------------------+---------------------------------------+ | github.com/opencontainers/selinux | CVE-2019-16884 | | v1.2.2 | v1.3.1-0.20190929122143-5215b1806f52 | runc: AppArmor/SELinux bypass | | | | | | | with malicious image that | | | | | | | specifies a volume at /proc... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16884 | +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ usr/local/sbin/sysbox-mgr (gobinary) ==================================== Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0) +--------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | github.com/opencontainers/runc | CVE-2016-3697 | HIGH | v0.0.0-00010101000000-000000000000 | v0.1.0 | docker: privilege escalation via | | | | | | | confusion of usernames and UIDs | | | | | | | -->avd.aquasec.com/nvd/cve-2016-3697 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-16884 | | | v1.0.0-rc8.0.20190930145003-cad42f6e0932 | runc: AppArmor/SELinux bypass | | | | | | | with malicious image that | | | | | | | specifies a volume at /proc... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16884 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-19921 | | | v1.0.0-rc9.0.20200122160610-2fc03cc11c77 | runc: volume mount race condition | | | | | | | with shared mounts leads to | | | | | | | information leak/integrity... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19921 | +--------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ usr/local/sbin/sysbox-runc (gobinary) ===================================== Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0) +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ | github.com/opencontainers/runc | CVE-2016-3697 | HIGH | v0.0.0-00010101000000-000000000000 | v0.1.0 | docker: privilege escalation via | | | | | | | confusion of usernames and UIDs | | | | | | | -->avd.aquasec.com/nvd/cve-2016-3697 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-16884 | | | v1.0.0-rc8.0.20190930145003-cad42f6e0932 | runc: AppArmor/SELinux bypass | | | | | | | with malicious image that | | | | | | | specifies a volume at /proc... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16884 | + +------------------+ + +------------------------------------------+---------------------------------------+ | | CVE-2019-19921 | | | v1.0.0-rc9.0.20200122160610-2fc03cc11c77 | runc: volume mount race condition | | | | | | | with shared mounts leads to | | | | | | | information leak/integrity... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19921 | +-----------------------------------+------------------+ +------------------------------------+------------------------------------------+---------------------------------------+ | github.com/opencontainers/selinux | CVE-2019-16884 | | v1.2.2 | v1.3.1-0.20190929122143-5215b1806f52 | runc: AppArmor/SELinux bypass | | | | | | | with malicious image that | | | | | | | specifies a volume at /proc... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16884 | +-----------------------------------+------------------+----------+------------------------------------+------------------------------------------+---------------------------------------+ ```
rodnymolina commented 2 years ago

We are dealing with a cosmetic issue since fixes for all the CVE's reported here have been part of Sysbox for quite some time.

Looks like trivy is not smart enough to realize that Sysbox is overriding the pointers to the oci-runc code by making use of a replace instruction in its go.mod file.

jawnsy commented 2 years ago

@rodnymolina Thanks so much for the quick turnaround on this fix! FYI, I think you will need to apply the same changes to sysbox-fs and sysbox-mgr too: https://github.com/nestybox/sysbox-fs/blob/defca0dfc9bec25261f4b69f9d5cd1460695d458/go.mod#L19 and https://github.com/nestybox/sysbox-mgr/blob/9f1a13dc79214b66d0730d1bf85bc3eb60864050/go.mod#L20

These are in the full detailed output, but I omitted it from the summary view for the sake of brevity.

Once you merge this, I'm happy to help re-run the scan to "test" if you'd like! Are the Docker Hub images (e.g. nestybox/sysbox-in-docker:ubuntu-focal) updated automatically on merge?

rodnymolina commented 2 years ago

PRs for all the subrepos are in review now -- see runc's one here.

$ trivy image nestybox/sysbox-in-docker:ubuntu-focal
2021-12-06T19:53:33.897-0500    INFO    Need to update DB
2021-12-06T19:53:33.897-0500    INFO    Downloading DB...
25.09 MiB / 25.09 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.29 MiB p/s 3s
2021-12-06T19:53:44.788-0500    INFO    Detected OS: ubuntu
2021-12-06T19:53:44.789-0500    INFO    Detecting Ubuntu vulnerabilities...
2021-12-06T19:53:44.792-0500    INFO    Number of language-specific files: 3
2021-12-06T19:53:44.793-0500    INFO    Detecting gobinary vulnerabilities...
...
usr/bin/sysbox-fs (gobinary)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/bin/sysbox-mgr (gobinary)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/bin/sysbox-runc (gobinary)
==============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
)
rodnymolina commented 2 years ago

Problem fixed. Closing.