Vulnerability detected in confluent images pulled from docker hub

Question

Vulnerability detected in confluent images pulled from docker hub

kthondir opened this issue 5 years ago · 1 comments

kthondir commented 5 years ago

VULNERABILITY ANALYSIS RESULTS:

DockerHub External Image: confluentinc/cp-schema-registry:5.4.0

[Vulnerability 01]
TITLE: [linux] libgcrypt20 - CVE-2019-13627:

pkg: libgcrypt20: 1.6.3-2+deb8u5

Severity: High

Description: It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.

Exploitability: Remotely Exploitable

Solution: libgcrypt timing attack fixed in version 1.8.5+

References:

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html
http://www.openwall.com/lists/oss-security/2019/10/02/2
https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5

[Vulnerability 02]
TITLE: [linux] libcomerr2 - CVE-2019-5094:

pkgs:

libcomerr2: 1.42.12-2+b1
e2fslibs: 1.42.12-2+b1
libss2: 1.42.12-2+b1
e2fsprogs: 1.42.12-2+b1

severity: Medium

Exploitability: Locally Exploitable, low complexity

Description: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Solution: For Debian 8 "Jessie", this problem has been fixed in version
1.42.12-2+deb8u1.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.43.4-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.44.5-1+deb10u2.

References:

https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
https://seclists.org/bugtraq/2019/Sep/58

Name: cp-schema-registry
Tag: 5.4.0
Digest:sha256:6483e6258e517a2dec9d13d3e8b7fff2a963d9ec6f67bcac554b9fecd88d976b
Status: scanned
LastJobStatus: completed
Score: score9
NumberOfVulns: 2
NumberOfMalware: 0
Source: pushed
CreatedAt: 2020-02-06T18:06:53.269Z
FinishedAt: 2020-02-06T18:29:50.303Z
ImageHash: 27756bdebb20
Size: 1584
OS: Debian
OSVersion: 8.11

We scanned the latest image as well but the issues were the same from Tenable Security. We also ran the latest image through another container scanning software we have access to called "Snyk" and there were a lot more vulnerabilities in that image from them.

Answer 1 · 2020-02-10T16:45:54.000Z

Our security team is not approving this docker image from being installed in our K8s. Please submit an updated image that addresses these issues to docker hub.