search

redis / docker-library-redis

Docker Official Image packaging for Redis
http://redis.io
BSD 3-Clause "New" or "Revised" License
1.12k stars 563 forks source link

The redis:7.0.4-alpine image has a High saverity vulnerabilities. #324

Closed bighb69738 closed 2 years ago

bighb69738 commented 2 years ago

Hi all: I tried to use the latest image redis:7.0.4-alpine. But there is a High saverity vulnerabilities when the image was scaned.

These High saverity vulnerabilities:

Library:busybox-1.35.0-r15.apk Vulnerability id : CVE-2022-3006, CVE-2022-28931

How to fix it?

wglambert commented 2 years ago

7.0.4 was recently added 4 days ago, it's fully up to date with the latest packages from the apk repos

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28931 is still reserved

image Four results with no informational links. What scanner are you using?

$ docker run -it --rm redis:7.0.4-alpine ash
Unable to find image 'redis:7.0.4-alpine' locally
7.0.4-alpine: Pulling from library/redis
530afca65e2e: Already exists
c550a3118f41: Pull complete
9b28aced8b95: Pull complete
ee366e72c8f0: Pull complete
4dc43047334c: Pull complete
940560b1b15a: Pull complete
Digest: sha256:f23b1e963e2122ce4de6c40ffd105b60ccfa62bf0134585d3109f5caf691b5b3
Status: Downloaded newer image for redis:7.0.4-alpine
/data # apk update && apk -u list && apk upgrade --simulate
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.1-5-ge692d8f074 [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.1-20-g112d29a88c [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17026 distinct packages available
OK: 9 MiB in 17 packages

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

bighb69738 commented 2 years ago

@wglambert Sorry, the correct CVE id is CVE-2022-30065 and CVE-2022-28391. I used Whitesource to scan redis:7.0.4-alpine image, and it found the high saverity vulnerabilities library from busybox-1.35.0-r15.apk.

wglambert commented 2 years ago

The busybox package is fully up to date so there's nothing actionable we can do, in about a month the image will be updated and rebuilt on its usual cadence so maybe they'll have patches for those. They don't seem particularly relevant to the this image's environment and usage.

I would make sure your redis image isn't publicly accessible and you've read https://github.com/docker-library/docs/tree/master/redis#security then you shouldn't have any worries