Critical vulnerabilities in 3.3.3
Closed this issue · 3 comments
There are a number of critical CVEs in v3.3.3 of this image which prevents us from being able to use it. The vulnerabilities are:
ALAS2-2022-1759: CVE-2022-25315:In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames
ALAS2-2022-1736: CVE-2021-33574:The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free.
ALAS2-2022-1754: CVE-2022-23852:Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES
ALAS2-2021-1724: CVE-2021-22945:When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again.
CVE-2021-22946:A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server
CVE-2021-22947:When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches.
Is it possible to have these vulnerabilities remediated and an updated image produced.
Hi @dgr237,
These vulnerabilities all lie in the amazonlinux base image that the daemon image uses, so they should not impact the daemon itself. We will re-release the daemon to dockerhub with the latest base image version to mitigate these CVEs regardless, and update this issue when it is done.
In the meantime, I recommend to use the Public ECR daemon image: https://gallery.ecr.aws/xray/aws-xray-daemon
It does not have a base image, so it will not have these vulnerabilities.
Thanks for letting me know I will try to get the ecr image onboarded to our in house repo.
Hi @dgr237,
The Daemon should now be republished to Dockerhub with the latest AL2 image, let us know if these vulnerabilities are resolved.