Jan-M
commented
3 months ago How do you reach the conclusion that from any of those CVEs it is easy to break the Postgres database cluster run via Spilo container?
Open gowthamvetriselvan opened 4 months ago
Jan-M
commented
3 months ago How do you reach the conclusion that from any of those CVEs it is easy to break the Postgres database cluster run via Spilo container?
gowthamvetriselvan
commented
1 week ago @Jan-M Apologize for mentioning easily breakable (a Generic Statement). But, To provide the ground situation on this issue.. we have software security policies that prohibit us from using 3rd party software with CVEs of severity "High" or greater. These CVEs limit their audience.
Hi Team
Recent docker image of Spilo having critical and high Vulnerabilities
ghcr.io/zalando/spilo-16:3.2-p2
CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION NAMESPACE STATUS INTRODUCED IN LAYER FILE PATH
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-37920 Critical certifi 2020.6.20 2023.07.22 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/certifi-2020.6.20.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-4807 High cryptography 3.4.8 41.0.4 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-43804 High urllib3 1.26.5 1.26.17 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/urllib3-1.26.5.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2018-1000047 High ply 3.11 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/ply-3.11.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-39325 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-44487 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-6596 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2020-26160 High github.com/dgrijalva/jwt-go v3.2.0+incompatible go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2022-32149 High golang.org/x/text v0.3.7 0.3.8 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-50782 High cryptography 3.4.8 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-49083 High cryptography 3.4.8 41.0.6 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2022-29217 High pyjwt 2.3.0 2.4.0 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/PyJWT-2.3.0.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
Do we know when it can be addressed or provide any workaorund on overcoming this Vulnerabilities. since with this Vulnerabilities looks like easy to break the postgres DB