[Bug]: Rebuild Alpine Docker images to get rid of CVE-2023-52425
AB-xdev opened this issue · 14 comments
Please add the exact image (with tag) that you are using
eclipse-temurin:21-alpine
Please add the version of Docker you are running
irrelevant
What happened?
We're waiting since >2 weeks for an update of the alpine docker images, which are currently flagged by our security scanner (trivy) with the following CVE:
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52425 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
The affect library already got updated (libexpat (2.6.0-r0) is installed when running apk add --no-cache fontconfig in alpine:3.19), so the only thing that's missing is a rebuild.
The debian/ubuntu based images got rebuilt a few days ago so the problem is no longer present there.
Would it be possible to also rebuild the alpine images?
Relevant log output
No response
they control the base image
Just FYI, the vulnerability is not inside the base image layers.
Please submit an issue at DockerHub
Could you please tell me where I can submit issues? Do you mean the Docker forum? Or the docker hub feedback issuetracker or the alpine linux image issuetracker?
Hmm, was fontconfig already installed?
Hmm, was fontconfig already installed?
containers/21/jre/alpine/Dockerfile
Line 33 in c1163d4
I can see same vulnerability on eclipse-temurin:17-alpine. Do I need to create a separate issue?
I can see same vulnerability on eclipse-temurin:17-alpine. Do I need to create a separate issue?
No we can cover it under here
@gdams & @sxa do we have a respin policy in place for updates to the libs in this base image or is it up to DockerHub once we 'hand it over'
The policy is in https://github.com/adoptium/containers/blob/main/README.md#update-policy but TL;DR we have no defined mechanism to trigger such updates. They have to be done by dockerhub.
I will also note that dockerhub have got this flagged as a high severity vulnerability (CVSS7.5) which is certainly in line with what you're suggesting).
Could you please tell me where I can submit issues? Do you mean the Docker forum? Or the docker hub feedback issuetracker or the alpine linux image issuetracker?
The Alpine repo already has a relevant issue (specifically mentioning our image so the only path would be the official-images repo at https://github.com/docker-library/official-images Let me see if I can word something appropriately.
This is a similar issue from a couple of years ago
Thanks for bringing this to our attention. I've raised docker-library/official-images#16289 including quite a few references to related issues that will, if another else, help to clarify what we can to for these in the future.
Hi,
I've seen the docker-library issue but it didn't seem to be going anywhere as of 8 days ago, is there hope for an update soon?
Hi @sxa Really appreciate your follow-through on this issue. I've been watching the thread in docker-library as well - wondering if there is any path to resolution yet? We are eagerly awaiting the security updates.
Hi @sxa Really appreciate your follow-through on this issue. I've been watching the thread in docker-library as well - wondering if there is any path to resolution yet? We are eagerly awaiting the security updates.
We had a discussion at the PMC call this week and we're going to attempt to force an update to trigger a rebuild as that seems to be our only option at present. It's not ideal but will hopefully let us resolve the issue before the next update in late April.
The PR is here: docker-library/official-images#16410
This is now complete