search

postgis / docker-postgis

Docker image for PostGIS
https://hub.docker.com/r/postgis/postgis/
MIT License
1.37k stars 464 forks source link

(vulnerability report) Most images are insecure #370

Closed jamesgeddes closed 10 months ago

jamesgeddes commented 10 months ago

Many published images have HIGH or CRITICAL security vulnerabilities.

Scan built images with Trivy (or similar) during CI before publishing them to Dockerhub to prevent insecure containers from being made publicly available.

I would suggest adding the following to the current GitHub actions workflow immediately after the "Build docker image" step.

- name: Scan image with Trivy
  if: ${{  (github.ref == 'refs/heads/master') && (github.event_name != 'pull_request')  }}
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: ${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}${{ matrix.variant == 'alpine' && '-alpine' || '' }}
    format: 'table'
    exit-code: '1'
    severity: 'HIGH,CRITICAL'
ImreSamu commented 10 months ago

Thank you for bringing this matter to the attention of our community!

A few days ago, a similar question came up: PostGIS Docker Issue #368. Because of this, we've added an extra "Security Scanner Information" section to the README.md

And also please read: https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

I've been considering using the Trivy scanner, but currently, I don't see much benefit in using the extra Trivy security scanner without the --ignore-unfixed option. ( https://pythonspeed.com/articles/docker-security-scanner/ )

If security is especially important to you, I recommend using images based on Alpine.

postgres:16-alpine

$ trivy image --ignore-unfixed postgres:16-alpine
2023-12-06T19:45:11.180+0100    INFO    Need to update DB
2023-12-06T19:45:11.180+0100    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-06T19:45:11.180+0100    INFO    Downloading DB...
41.17 MiB / 41.17 MiB [------------------------------] 100.00% 9.48 MiB p/s 4.5s
2023-12-06T19:45:16.476+0100    INFO    Vulnerability scanning is enabled
2023-12-06T19:45:16.476+0100    INFO    Secret scanning is enabled
2023-12-06T19:45:16.476+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-06T19:45:16.476+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-06T19:45:23.653+0100    INFO    Detected OS: alpine
2023-12-06T19:45:23.653+0100    INFO    Detecting Alpine vulnerabilities...
2023-12-06T19:45:23.657+0100    INFO    Number of language-specific files: 0

postgres:16-alpine (alpine 3.18.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
jamesgeddes commented 10 months ago

Thank you for getting back to me so quickly and my apologies for missing #368 and the Security section in the readme!

I think security is important to everyone. Alpine is indeed usually better but does not guarantee security. An additional example to the ones already mentioned;

trivy image --ignore-unfixed postgis/postgis:15-3.3-alpine
2023-12-06T19:12:25.646Z    INFO    Vulnerability scanning is enabled
2023-12-06T19:12:25.646Z    INFO    Secret scanning is enabled
2023-12-06T19:12:25.646Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-06T19:12:25.646Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-06T19:12:26.542Z    INFO    Detected OS: alpine
2023-12-06T19:12:26.542Z    INFO    Detecting Alpine vulnerabilities...
2023-12-06T19:12:26.545Z    INFO    Number of language-specific files: 0

postgis/postgis:15-3.3-alpine (alpine 3.18.3)

Total: 13 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 6, CRITICAL: 2)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3   │ CVE-2023-5363  │ HIGH     │ fixed  │ 3.1.2-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing     │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                  │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5678  │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or      │
│              │                │          │        │                   │               │ checking excessively long X9.42...                         │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcurl      │ CVE-2023-38545 │ CRITICAL │        │ 8.2.1-r0          │ 8.4.0-r0      │ curl: heap based buffer overflow in the SOCKS5 proxy       │
│              │                │          │        │                   │               │ handshake                                                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38545                 │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-38039 │ HIGH     │        │                   │ 8.3.0-r0      │ curl: out of heap memory issue due to missing limit on     │
│              │                │          │        │                   │               │ header...                                                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38039                 │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-38546 │ LOW      │        │                   │ 8.4.0-r0      │ curl: cookie injection with none file                      │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-38546                 │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libssl3      │ CVE-2023-5363  │ HIGH     │        │ 3.1.2-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing     │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                  │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5678  │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or      │
│              │                │          │        │                   │               │ checking excessively long X9.42...                         │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libwebp      │ CVE-2023-4863  │ HIGH     │        │ 1.3.1-r0          │ 1.3.1-r1      │ libwebp: Heap buffer overflow in WebP Codec                │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4863                  │
├──────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libx11       │ CVE-2023-43787 │          │        │ 1.8.4-r4          │ 1.8.7-r0      │ integer overflow in XCreateImage() leading to a heap       │
│              │                │          │        │                   │               │ overflow                                                   │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-43787                 │
│              ├────────────────┼──────────┤        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-43785 │ MEDIUM   │        │                   │               │ out-of-bounds memory access in _XkbReadKeySyms()           │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-43785                 │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-43786 │          │        │                   │               │ stack exhaustion from infinite recursion in PutSubImage()  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-43786                 │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ minizip      │ CVE-2023-45853 │ CRITICAL │        │ 1.2.13-r0         │ 1.2.13-r1     │ zlib: integer overflow and resultant heap-based buffer     │
│              │                │          │        │                   │               │ overflow in zipOpenNewFileInZip4_6                         │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45853                 │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ nghttp2-libs │ CVE-2023-44487 │ HIGH     │        │ 1.55.1-r0         │ 1.57.0-r0     │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│              │                │          │        │                   │               │ to a DDoS attack...                                        │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

I only suggested Trivy because it is easy and free. Other providers are available, for example, Snyk has a decent offering for FOSS projects as well as their own GitHub Actions.

FWIW, IMO we should avoid perpetuating vulnerable software, so this would help to facilitate that. I do, however, appreciate that it is difficult when one is building on top of something insecure, as this would require a significant amount of Yak Shaving. As such, if this is not feasible then please feel free to close the ticket.

ImreSamu commented 10 months ago

@jamesgeddes

my apologies

no problem.

Alpine is indeed usually better but does not guarantee security. An additional example to the ones already mentioned; trivy image postgis/postgis:15-3.3-alpine

Why are you using the 15-3.3-alpine version? This version is no longer supported ( see repo README.md)
Please upgrade to the 15-3.4-alpine version!

IMHO: If you need security and postgis bugfix , please use the CURRENT ( weekly rebuilded ) images listed in the current README.md: image

$ docker pull postgis/postgis:15-3.4-alpine
15-3.4-alpine: Pulling from postgis/postgis
Digest: sha256:93eebb5fd4d35cc354ea91da5716730cec922772c92d4f05e127e2af96dfc644
Status: Image is up to date for postgis/postgis:15-3.4-alpine
docker.io/postgis/postgis:15-3.4-alpine

$ trivy image --ignore-unfixed postgis/postgis:15-3.4-alpine
2023-12-06T20:19:41.948+0100    INFO    Vulnerability scanning is enabled
2023-12-06T20:19:41.948+0100    INFO    Secret scanning is enabled
2023-12-06T20:19:41.948+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-06T20:19:41.949+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-06T20:19:41.965+0100    INFO    Detected OS: alpine
2023-12-06T20:19:41.965+0100    INFO    Detecting Alpine vulnerabilities...
2023-12-06T20:19:41.973+0100    INFO    Number of language-specific files: 0

postgis/postgis:15-3.4-alpine (alpine 3.18.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

or "postgis/postgis:11-3.3-alpine"

$ trivy image --ignore-unfixed postgis/postgis:11-3.3-alpine
2023-12-06T20:36:47.392+0100    INFO    Vulnerability scanning is enabled
2023-12-06T20:36:47.392+0100    INFO    Secret scanning is enabled
2023-12-06T20:36:47.392+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-06T20:36:47.392+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-06T20:36:47.405+0100    INFO    Detected OS: alpine
2023-12-06T20:36:47.405+0100    INFO    Detecting Alpine vulnerabilities...
2023-12-06T20:36:47.412+0100    INFO    Number of language-specific files: 0

postgis/postgis:11-3.3-alpine (alpine 3.18.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

FWIW, IMO we should avoid perpetuating vulnerable software, so this would help to facilitate that.

Unfortunately, regularly updating older versions, such as the requested * 15-3.3-alpine (Last pushed 4 months ago ), is not easy to manage, and the likelihood of supporting this in our repository is slim. In similar situations, it is advisable to fork the repository (Dockerfile) and take care of the rebuilding and security updates ourselves.

We do not delete old postgis/postgis Docker images and tags, as they can be very useful for testing. Additionally, the upstream official Postgres does not delete them either.

If you have specific suggestions on how we can make our images, which are built on the official Postgres image, more secure, we are completely open to them. please check the Dockerfiles:

However, this is all I can say, which is also included in the README.md under 'Limitations on Updates': Unfortunately, we don't have control over updates to Debian and Alpine distributions or the upstream postgres image. Because of this, there might be some issues that we cannot fix right away. On the positive side, the postgis/postgis images are regenerated every Monday. This process is to ensure they include the latest changes and improvements. As a result, these images are consistently kept up-to-date.

SUMMARY:

I would suggest the following rule of thumb: Since we only extend the Official Postgres Image with the postgis extension, if the Official Postgres is suitable, then I believe the postgis/postgis should also be suitable. However, if the Official Postgres is not suitable, then we cannot help. In this case, you should look for another postgis docker image that meets your security requirements.

https://hub.docker.com/_/postgres/tags?page=1

image

image