Container Includes Open CVE's

[mkell43]

Howdy,

First off, thank you for this container image and helpful guides on your site.

When inspecting this container image with grype it reported back that there were a number of easily fixed CVEs open against it. While they don't appear to be easily exploited, I figured it was worth mentioning all the same. Looking more closely, it appears all that needs to happen is to have the container image rebuilt in Docker Hub.

Important Note: All that's changing is a re-run of apt-get update which the image in Docker Hub hasn't had since it was last build in their system.

If you sort through my Github & Docker Hub accounts, you'll see that I'm no good at keeping the stuff I've released out into the world up to date. But if I could offer a suggestion of configuring a trigger in Docker Hub at https://hub.docker.com/r/sethsimmons/simple-monerod, clicking Manage Repository, Builds, Configure Automated Builds, and creating a new webhook trigger that can be hit by a cron job to trigger a rebuild to keep things updated regularly.

That was perhaps a little overly verbose because the Docker Hub docs don't seem to specify this particular Automated Builds feature (last I looked anyway) and in case someone else stumbles along somehow with an unrelated issue, but needs to do something similar.

Before rebuilding the image:

mike@lemur:~/Projects/simple-monerod-docker$ date ; grype sethsimmons/simple-monerod
Sun Feb 21 04:50:52 PM PST 2021
 ✔ Vulnerability DB     [no update available]
 ✔ Loaded image         
 ✔ Parsed image         
 ✔ Cataloged image      [102 packages]
 ✔ Scanned image        [34 vulnerabilities]
NAME              INSTALLED               FIXED-IN                    VULNERABILITY     SEVERITY   
apt               2.0.2ubuntu0.1          2.0.2ubuntu0.2              CVE-2020-27350    Medium      
bash              5.0-6ubuntu1.1                                      CVE-2019-18276    Low         
coreutils         8.30-3ubuntu2                                       CVE-2016-2781     Low         
gpgv              2.2.19-3ubuntu2                                     CVE-2019-13050    Low         
libapt-pkg6.0     2.0.2ubuntu0.1          2.0.2ubuntu0.2              CVE-2020-27350    Medium      
libc-bin          2.31-0ubuntu9.1                                     CVE-2016-10228    Negligible  
libc-bin          2.31-0ubuntu9.1                                     CVE-2020-6096     Low         
libc-bin          2.31-0ubuntu9.1                                     CVE-2020-29562    Low         
libc-bin          2.31-0ubuntu9.1                                     CVE-2020-27618    Low         
libc-bin          2.31-0ubuntu9.1                                     CVE-2019-25013    Low         
libc6             2.31-0ubuntu9.1                                     CVE-2016-10228    Negligible  
libc6             2.31-0ubuntu9.1                                     CVE-2020-6096     Low         
libc6             2.31-0ubuntu9.1                                     CVE-2020-29562    Low         
libc6             2.31-0ubuntu9.1                                     CVE-2020-27618    Low         
libc6             2.31-0ubuntu9.1                                     CVE-2019-25013    Low         
libgcrypt20       1.8.5-5ubuntu1                                      CVE-2019-12904    Low         
libgssapi-krb5-2  1.17-6ubuntu4.1                                     CVE-2018-5709     Negligible  
libk5crypto3      1.17-6ubuntu4.1                                     CVE-2018-5709     Negligible  
libkrb5-3         1.17-6ubuntu4.1                                     CVE-2018-5709     Negligible  
libkrb5support0   1.17-6ubuntu4.1                                     CVE-2018-5709     Negligible  
libp11-kit0       0.23.20-1build1         0.23.20-1ubuntu0.1          CVE-2020-29361    Medium      
libp11-kit0       0.23.20-1build1         0.23.20-1ubuntu0.1          CVE-2020-29363    Medium      
libp11-kit0       0.23.20-1build1         0.23.20-1ubuntu0.1          CVE-2020-29362    Medium      
libpcre3          2:8.39-12build1                                     CVE-2017-11164    Negligible  
libpcre3          2:8.39-12build1                                     CVE-2020-14155    Negligible  
libpcre3          2:8.39-12build1                                     CVE-2019-20838    Low         
libssl1.1         1.1.1f-1ubuntu2.1       1.1.1f-1ubuntu2.2           CVE-2021-23840    Low         
libssl1.1         1.1.1f-1ubuntu2.1       1.1.1f-1ubuntu2.2           CVE-2021-23841    Medium      
libsystemd0       245.4-4ubuntu3.3                                    CVE-2018-20839    Medium      
libtasn1-6        4.16.0-2                                            CVE-2018-1000654  Negligible  
libudev1          245.4-4ubuntu3.3                                    CVE-2018-20839    Medium      
login             1:4.8.1-1ubuntu5.20.04                              CVE-2013-4235     Low         
passwd            1:4.8.1-1ubuntu5.20.04                              CVE-2013-4235     Low         
tar               1.30+dfsg-7             1.30+dfsg-7ubuntu0.20.04.1  CVE-2019-9923     Low

After rebuilding the image:

mike@lemur:~/Projects/simple-monerod-docker$ date ; grype mkell43/simple-monerod
Sun Feb 21 05:32:43 PM PST 2021
 ✔ Vulnerability DB     [no update available]
 ✔ Loaded image         
 ✔ Parsed image         
 ✔ Cataloged image      [102 packages]
 ✔ Scanned image        [26 vulnerabilities]

NAME              INSTALLED               FIXED-IN  VULNERABILITY     SEVERITY   
bash              5.0-6ubuntu1.1                    CVE-2019-18276    Low         
coreutils         8.30-3ubuntu2                     CVE-2016-2781     Low         
gpgv              2.2.19-3ubuntu2                   CVE-2019-13050    Low         
libc-bin          2.31-0ubuntu9.1                   CVE-2016-10228    Negligible  
libc-bin          2.31-0ubuntu9.1                   CVE-2020-6096     Low         
libc-bin          2.31-0ubuntu9.1                   CVE-2020-29562    Low         
libc-bin          2.31-0ubuntu9.1                   CVE-2020-27618    Low         
libc-bin          2.31-0ubuntu9.1                   CVE-2019-25013    Low         
libc6             2.31-0ubuntu9.1                   CVE-2016-10228    Negligible  
libc6             2.31-0ubuntu9.1                   CVE-2020-6096     Low         
libc6             2.31-0ubuntu9.1                   CVE-2020-29562    Low         
libc6             2.31-0ubuntu9.1                   CVE-2020-27618    Low         
libc6             2.31-0ubuntu9.1                   CVE-2019-25013    Low         
libgcrypt20       1.8.5-5ubuntu1                    CVE-2019-12904    Low         
libgssapi-krb5-2  1.17-6ubuntu4.1                   CVE-2018-5709     Negligible  
libk5crypto3      1.17-6ubuntu4.1                   CVE-2018-5709     Negligible  
libkrb5-3         1.17-6ubuntu4.1                   CVE-2018-5709     Negligible  
libkrb5support0   1.17-6ubuntu4.1                   CVE-2018-5709     Negligible  
libpcre3          2:8.39-12build1                   CVE-2017-11164    Negligible  
libpcre3          2:8.39-12build1                   CVE-2020-14155    Negligible  
libpcre3          2:8.39-12build1                   CVE-2019-20838    Low         
libsystemd0       245.4-4ubuntu3.4                  CVE-2018-20839    Medium      
libtasn1-6        4.16.0-2                          CVE-2018-1000654  Negligible  
libudev1          245.4-4ubuntu3.4                  CVE-2018-20839    Medium      
login             1:4.8.1-1ubuntu5.20.04            CVE-2013-4235     Low         
passwd            1:4.8.1-1ubuntu5.20.04            CVE-2013-4235     Low

[sethforprivacy]

Great catch, and thanks for the detail as that makes it much easier to implement a fix to ensure my Docker images stay up to date!

I'll do an initial rebuild/push first thing tomorrow and implement a triggered build regularly if the base image has an update available.

Note that it is generally recommended to not do any type of apt upgrade or apt dist-upgrade when building, and instead rely on the base image updates for vuln fixes etc. (I'll have to dig into this a bit more after reading your issue, however!)

See https://github.com/hadolint/hadolint/wiki/DL3005 for more info. Hadolint was a very useful tool I found for fixing some of the more common pitfalls, many of which I had put in place as I'm quite new to Docker in general.

I'll also have to check out grype, it seems! I've used snyk on this repo a bit but grype seems likely to be a better fit to run myself.

[sethforprivacy]

Minor follow-up: I'm doing apt-get update in the Dockerfile merely to get the latest repo updates for package installation, and not doing any sort of upgrade with that info.

[mkell43]

Great catch, and thanks for the detail as that makes it much easier to implement a fix to ensure my Docker images stay up to date!

Totally. Normally I wouldn't call something like this out, but with it relating to Monero I thought it was worth bringing up. It seemed almost silly as the next time you updated the Monero release version in the Dockerfile Docker Hub would rebuild the container image and the update would happen anyway.

I'll also have to check out grype, it seems! I've used snyk on this repo a bit but grype seems likely to be a better fit to run myself.

It came up for me just recently from one of the (too many) DevOps and DevOps adjacent newsletters I'm subscribed too. The - I believe to be - parent company that releases Grype also has a Github action. Though, I've only ever used long running Github Actions via my employer and our beefy paid plan. So I'm not sure if using Github Actions when Monero takes so long to build is feasible on a free plan. https://github.com/anchore/scan-action

See https://github.com/hadolint/hadolint/wiki/DL3005 for more info. Hadolint was a very useful tool I found for fixing some of the more common pitfalls, many of which I had put in place as I'm quite new to Docker in general.

This is new to me and going in my toolbox. Thank you!

[sethforprivacy]

Pushed an updated image to Docker Hub today with the latest ubuntu20.04 base image.

Thanks again for the mention and details!