search

vernemq / docker-vernemq

VerneMQ Docker image - Starts the VerneMQ MQTT broker and listens on 1883 and 8080 (for websockets).
https://vernemq.com
Apache License 2.0
177 stars 230 forks source link

List of CVE Vulnerabilities found in the Alpine Docker image #374

Closed bdfkockmeyer closed 4 months ago

bdfkockmeyer commented 9 months ago

Dear VerneMQ team, we are using a vulnerability scanner which checks all our images for known vulnerabilities. This is the list of CVEs found in the latest build of the VerneMQ release 1.13.0. The image tag we are using is vernemq/vernemq:1.13.0-alpine.

I would appreciate it if you could validate those findings and let me know about the results and if there might be a patch release to mitigate the valid findings.

Severity CVE ID CVSS score Package name & version
Critical CVE-2022-48174 9.8 busybox-binsh 1.36.1-r0
Critical CVE-2022-48174 9.8 busybox 1.36.1-r0
Critical CVE-2023-38545 9.8 curl 8.1.2-r0
Critical CVE-2023-38545 9.8 libcurl 8.1.2-r0
Critical CVE-2022-48174 9.8 ssl_client 1.36.1-r0
High CVE-2023-5363 7.5 libssl3 3.1.1-r1
High CVE-2023-5363 7.5 libcrypto3 3.1.1-r1
High CVE-2023-44487 7.5 nghttp2-libs 1.53.0-r0
High CVE-2023-38039 7.5 curl 8.1.2-r0
High CVE-2023-38039 7.5 libcurl 8.1.2-r0
Low CVE-2023-38546 3.7 curl 8.1.2-r0
Low CVE-2023-38546 3.7 libcurl 8.1.2-r0
Medium CVE-2023-3446 5.3 libcrypto1.1 1.1.1u-r0
Medium CVE-2023-3446 5.3 libssl1.1 1.1.1u-r0
Medium CVE-2023-6237 5.9 libssl3 3.1.1-r1
Medium CVE-2023-3446 5.3 libssl3 3.1.1-r1
Medium CVE-2023-3817 5.3 libssl3 3.1.1-r1
Medium CVE-2023-2975 5.3 libssl3 3.1.1-r1
Medium CVE-2023-6129 6.5 libssl3 3.1.1-r1
Medium CVE-2023-5678 5.3 libssl3 3.1.1-r1
Medium CVE-2023-5678 5.3 libcrypto3 3.1.1-r1
Medium CVE-2023-6129 6.5 libcrypto3 3.1.1-r1
Medium CVE-2023-6237 5.9 libcrypto3 3.1.1-r1
Medium CVE-2023-3446 5.3 libcrypto3 3.1.1-r1
Medium CVE-2023-3817 5.3 libcrypto3 3.1.1-r1
Medium CVE-2023-2975 5.3 libcrypto3 3.1.1-r1
Medium CVE-2023-3446 5.3 openssl1.1-compat 1.1.1u-r0
Medium CVE-2023-46218 6.5 curl 8.1.2-r0
Medium CVE-2023-46219 5.3 curl 8.1.2-r0
Medium CVE-2023-46218 6.5 libcurl 8.1.2-r0
Medium CVE-2023-46219 5.3 libcurl 8.1.2-r0
ioolkos commented 9 months ago

@bdfkockmeyer Thanks, can you let us know the scanning tool used? The question here is: will the latest Alpine release typically pass it?

👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq 👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

bdfkockmeyer commented 9 months ago

Hello @ioolkos , we used Crowdstrike as our scanning tool. As you can see at Dockerhub - Alpine 3.19.1 at least Dockerhub did show any known vulnerabilities. I did not try to scan the latest Alpine image in Crowdstrike so far.

ioolkos commented 8 months ago

The image for VerneMQ 2.0.0-RC1 is now built with Alpine 3.19.1. There are some minor breaking changes: https://github.com/vernemq/vernemq/wiki/Migration-to-VerneMQ-2.0.0