Critical OS vulnerabilites in Docker image
Opened this issue · 0 comments
elchenberg commented
Trivy detects 11 critical vulnerabilities in the operating system (packages) of the Docker image.
I do not know if there is a way to exploit them. For my peace of mind, I would like to get rid of them anyway. Please tell me if I should open a pull request.
Summary
With the following changes the number of OS-related critical vulnerabilities can be reduced from 11 to 1:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
ARG EXPORTER_VERSION=2.3.8
RUN apt-get update && apt-get install -y --no-install-recommends \
netcat \
+ && apt-get upgrade -y \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*Caveat: I have not tested the resulting image.
Details
trivy image --severity=CRITICAL --vuln-type=os criteord/cassandra_exporter:2.3.8criteord/cassandra_exporter:2.3.8 (debian 10.11)
Total: 11 (CRITICAL: 11)
┌───────────┬────────────────┬──────────┬───────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2021-33574 │ CRITICAL │ 2.28-10 │ │ glibc: mq_notify does not handle separately allocated thread │
│ │ │ │ │ │ attributes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │
│ │ │ │ │ │ long pathnames │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │
│ ├────────────────┤ │ ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│ │ │ │ │ │ a long pathname │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │
├───────────┼────────────────┤ │ ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-33574 │ │ │ │ glibc: mq_notify does not handle separately allocated thread │
│ │ │ │ │ │ attributes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33574 │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2021-35942 │ CRITICAL │ 2.28-10 │ │ glibc: Arbitrary read in wordexp() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35942 │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2022-23218 │ CRITICAL │ 2.28-10 │ │ glibc: Stack-based buffer overflow in svcunix_create via │
│ │ │ │ │ │ long pathnames │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23218 │
│ ├────────────────┤ │ ├──────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23219 │ │ │ │ glibc: Stack-based buffer overflow in sunrpc clnt_create via │
│ │ │ │ │ │ a long pathname │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23219 │
├───────────┼────────────────┼──────────┼───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.5 │ │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
├───────────┼────────────────┤ ├───────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │ │ 1.1.1d-0+deb10u8 │ 1.1.1n-0+deb10u2 │ openssl: c_rehash script allows command injection │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1292 │
├───────────┤ │ │ │ │ │
│ openssl │ │ │ │ │ │
│ │ │ │ │ │ │
└───────────┴────────────────┴──────────┴───────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘
By using a bullseye base image instead of the buster base image the number of critical vulnerabilities can be reduced to 3:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..aff83b3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseyetrivy image --severity=CRITICAL --vuln-type=os $(docker build --quiet --file docker/Dockerfile .)sha256:156f7d236a8a5153f3e5f3ceadb5fac424c7933794f408599a1f79f0e7b66a3d (debian 11.3)
Total: 3 (CRITICAL: 3)
┌───────────┬───────────────┬──────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────┼───────────────┼──────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8 │ │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
├───────────┼───────────────┤ ├───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-1292 │ │ 1.1.1n-0+deb11u1 │ 1.1.1n-0+deb11u2 │ openssl: c_rehash script allows command injection │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1292 │
├───────────┤ │ │ │ │ │
│ openssl │ │ │ │ │ │
│ │ │ │ │ │ │
└───────────┴───────────────┴──────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────┘
And with adding apt-get upgrade to the mix the number can be reduced to 1:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 60c2f3a..029811e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
-FROM openjdk:11-jre-slim-buster
+FROM openjdk:11-jre-slim-bullseye
ARG EXPORTER_VERSION=2.3.8
RUN apt-get update && apt-get install -y --no-install-recommends \
netcat \
+ && apt-get upgrade -y \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*sha256:24f8301b5d6ce4da428a90eff88114627dee653418ea0308b103896d2bd740db (debian 11.3)
Total: 1 (CRITICAL: 1)
┌──────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8 │ │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└──────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘