[Bug] Image vulnerabilities found with Aquasec

I just tried quay.io/kuberay/operator:v1.1.1 This has less but still has issues

{ "status" : "SCANNED", "cves" : [ { "file" : "", "name" : "RHSA-2024:2679", "description" : "An update for libxml2 is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\nThe libxml2 library is a development toolbox providing the implementation of various XML standards.\n\nSecurity Fix(es):\n\n libxml2: use-after-free in XMLReader (CVE-2024-25062)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.\nA use-after-free flaw was found in libxml2. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.\nlibxml2: use-after-free in XMLReader\nThe severity of this vulnerability is not important but moderate due to the lack of impact to both confidentiality and integrity, but potential impact to availability. The theoretical risk of impact to availability is limited due to the specific requirement that applications must continue to misuse the reader API after it has already reported validation errors instead of handling those errors. The flaw requires that crafted XML documents can be provided by an attacker and the utilization of DTD validation and XInclude expansion using the XMLReader API. Along with those conditions, the application using the XMLReader API must be ignoring errors when expanding invalid XInclude nodes in an maliciously crafted document. These conditions are unlikely to exist in the intended usage of the XMLReader API.\nThe CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "severity" : "high", "score_version" : "CVSS v3", "cVulnerabilityScore" : 3 }, { "file" : "", "name" : "RHSA-2024:1879", "description" : "An update for gnutls is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\nThe gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.\n\nSecurity Fix(es):\n\n gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)\n\n gnutls: potential crash during chain building/verification (CVE-2024-28835)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.\nA flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.\ngnutls: vulnerable to Minerva side-channel information leak\nThe Minerva attack vulnerability in GnuTLS, as identified through deterministic code behavior, poses a moderate severity risk due to its potential exploitation in cryptographic systems. This vulnerability enables adversaries to infer information about the cryptographic operations by observing subtle variations in nonce sizes, leading to a side-channel attack. The deterministic nature of the code allows attackers to discern patterns in the nonce generation process, thereby compromising the confidentiality and integrity of cryptographic communications. While the impact of this vulnerability may not be immediate or widespread, its exploitation could facilitate targeted attacks against systems relying on GnuTLS for secure communication.\nThe CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.\ngnutls: potential crash during chain building/verification\nThe observed crash in GnuTLS during certificate chain verification, triggered by a specific certificate configuration, represents a moderate severity issue due to its potential impact on security-critical operations reliant on certificate validation. The crash may indicate an underlying flaw in GnuTLS's handling of certain certificate attributes or structures, potentially exposing systems to denial-of-service vulnerabilities or bypassing security checks if exploited maliciously. Given that certificate validation is a fundamental aspect of secure communication protocols such as TLS, the inability to reliably verify certificate chains could lead to unauthorized access, data integrity breaches, or interception of sensitive information.", "severity" : "", "score_version" : "CVSS v3", "cVulnerabilityScore" : 4 }, { "file" : "", "name" : "RHSA-2024:2570", "description" : "An update for gnutls is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\nThe gnutls package provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.\n\nSecurity Fix(es):\n\n gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)\n\n* gnutls: potential crash during chain building/verification (CVE-2024-28835)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.\nA flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.\ngnutls: vulnerable to Minerva side-channel information leak\nThe Minerva attack vulnerability in GnuTLS, as identified through deterministic code behavior, poses a moderate severity risk due to its potential exploitation in cryptographic systems. This vulnerability enables adversaries to infer information about the cryptographic operations by observing subtle variations in nonce sizes, leading to a side-channel attack. The deterministic nature of the code allows attackers to discern patterns in the nonce generation process, thereby compromising the confidentiality and integrity of cryptographic communications. While the impact of this vulnerability may not be immediate or widespread, its exploitation could facilitate targeted attacks against systems relying on GnuTLS for secure communication.\nThe CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.\ngnutls: potential crash during chain building/verification\nThe observed crash in GnuTLS during certificate chain verification, triggered by a specific certificate configuration, represents a moderate severity issue due to its potential impact on security-critical operations reliant on certificate validation. The crash may indicate an underlying flaw in GnuTLS's handling of certain certificate attributes or structures, potentially exposing systems to denial-of-service vulnerabilities or bypassing security checks if exploited maliciously. Given that certificate validation is a fundamental aspect of secure communication protocols such as TLS, the inability to reliably verify certificate chains could lead to unauthorized access, data integrity breaches, or interception of sensitive information.", "severity" : "", "score_version" : "CVSS v3", "cVulnerabilityScore" : 4 }, { "file" : "/manager", "name" : "CVE-2023-45288", "description" : "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", "severity" : "", "score_version" : "CVSS v3", "cVulnerabilityScore" : 3 }, { "file" : "/manager", "name" : "CVE-2024-24786", "description" : "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.", "severity" : "", "score_version" : "CVSS v3", "cVulnerabilityScore" : 3 } ] }

Yes. 1.1.1 has this additional one

"name" : "RHSA-2024:3339", "description" : "An update for glibc is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nSecurity Fix(es):\n\n glibc: Out of bounds write in iconv conversion to ISO-2022-CN-EXT\n(CVE-2024-2961)\n\n glibc: stack-based buffer overflow in netgroup cache (CVE-2024-33599)\n\n glibc: null pointer dereferences after failed netgroup cache insertion\n(CVE-2024-33600)\n\n glibc: netgroup cache may terminate daemon on memory allocation failure\n(CVE-2024-33601)\n\n* glibc: netgroup cache assumes NSS callback uses in-buffer strings\n(CVE-2024-33602)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.\nAn out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.\nglibc: Out of bounds write in iconv may lead to remote code execution\nThe described vulnerability in the iconv() function of GNU C Library, particularly affecting ISO-2022-CN-EXT character set conversions, poses a important severity issue due to its potential for out-of-bound writes. Such buffer overflows can lead to arbitrary memory corruption, which can be exploited by attackers to execute arbitrary code, crash applications, or overwrite critical data structures, including neighboring variables. Given that the overflow can occur with specific, predictable values through SS2designation and SS3designation escape sequences, an attacker could craft malicious input to specifically trigger these overflows. Exploitation of this vulnerability could result in denial of service, privilege escalation, or even remote code execution, posing a significant threat to the security and integrity of affected systems.\nThe CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.\nA stack-based buffer overflow flaw was found in the glibc netgroup cache. In certain conditions, its possible to trigger a stack-based buffer overflow condition that can lead to a denial of service and potentially other malicious actions that impact confidentiality and integrity.\nglibc: stack-based buffer overflow in netgroup cache\nThis stack-based buffer overflow vulnerability in nscd presents a important severity issue due to its potential to be exploited by malicious actors to execute arbitrary code or cause denial-of-service (DoS) conditions. By carefully crafting input data, an attacker could manipulate the program's control flow, leading to unintended behavior such as executing arbitrary commands, escalating privileges, or crashing the application. Since the overflow occurs in a critical system component responsible for caching name service data, exploitation could have far-reaching consequences, including unauthorized access to sensitive information or disruption of essential services.\n\n\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.\nA flaw was found in the glibc netgroup cache. After a failed cache insertion, addgetnetgrentX tries to send the non-existing response after the not-found header. This can lead to a null pointer dereference that causes a crash or exit.\nglibc: null pointer dereferences after failed netgroup cache insertion\nThe flaw identified in the glibc netgroup cache constitutes a moderate severity issue due to its potential to trigger null pointer dereferences, leading to program crashes or exits. While null pointer dereferences can cause disruptions to system operations and possibly result in denial-of-service conditions, their impact is limited primarily to the affected process or application instance. However, the risk of exploitation may vary depending on the context of system usage. Systems that heavily rely on netgroup functionality may be more susceptible to exploitation, particularly if malicious actors can manipulate network traffic to trigger the vulnerability.\n\n\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.\nA flaw was found in the glibc netgroup cache. The netgroup cache uses xmalloc/xrealloc and may terminate the process due to a memory allocation failure.\nglibc: netgroup cache may terminate daemon on memory allocation failure\nThe flaw in the glibc netgroup cache, while concerning, is categorized as a low severity issue due to several factors. Firstly, the exploitation of this vulnerability requires specific conditions, such as a memory allocation failure within the netgroup cache, which may not occur frequently in typical usage scenarios. Additionally, the impact of such failures is limited to the termination of the affected process, rather than facilitating unauthorized access or data manipulation. Furthermore, the likelihood of successful exploitation and the potential for widespread harm are comparatively low, given the specific nature of the vulnerability and its constrained impact.\n\n\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.\nA flaw was found in the glibc netgroup cache. The buffer-resizing code in addgetnetgrentX assumes that all string pointers point into the supplied buffer. This can potentially lead to memory corruption and cause a crash.\nglibc: netgroup cache assumes NSS callback uses in-buffer strings\nThe identified flaw in the glibc netgroup cache, while significant in its potential to cause memory corruption and crashes, may be categorized as a low severity issue due to several factors. Firstly, the exploitation of this vulnerability requires specific conditions to be met, such as the presence of netgroup-related functionality and the ability to manipulate memory within the target system. Secondly, the impact of the vulnerability is limited to the context of the affected application or system component, rather than posing a system-wide or network-wide threat.\n\n\nThis issue affects the nscd RPM package and not the glibc RPM package itself. Affected components are tracked by their RPM source package, in this case, the nscd binary package is built from the glibc source package, hence the affected component is glibc.",

ray-project / kuberay

[Bug] Image vulnerabilities found with Aquasec #2165

Search before asking

KubeRay Component

What happened + What you expected to happen

Reproduction script

Anything else

Are you willing to submit a PR?