CVE-2023-38039, CVE-2023-38408, CVE-2023-38039, CVE-2023-38039, CVE-2023-44487
srikavya-kola opened this issue · 4 comments
Jenkins and plugins versions report
Wiz reported these issue.
The package openssh-client version 1:9.2p1-2 was detected in APT package manager on a container image running Debian 12.1 is vulnerable to CVE-2023-38408, which exists in versions < 1:9.2p1-2+deb12u1.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: Critical (NVD severity: Critical).
This vulnerability has a known exploit available. Source: Packetstorm.
The vulnerability can be remediated by updating the package to version 1:9.2p1-2+deb12u1 or higher, by adding the following command to the Dockerfile: RUN apt upgrade openssh-client.
The package is associated with the technology OpenSSH.
The package curl version 7.88.1-10+deb12u1 was detected in APT package manager on a container image running Debian 12.1 is vulnerable to CVE-2023-38039, which exists in versions < 7.88.1-10+deb12u3.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Source: Hacker1.
The vulnerability can be remediated by updating the package to version 7.88.1-10+deb12u3 or higher, by adding the following command to the Dockerfile: RUN apt upgrade curl.
The package is associated with the technology cURL.
The package libcurl3-gnutls version 7.88.1-10+deb12u1 was detected in APT package manager on a container image running Debian 12.1 is vulnerable to CVE-2023-38039, which exists in versions < 7.88.1-10+deb12u3.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Source: Hacker1.
The vulnerability can be remediated by updating the package to version 7.88.1-10+deb12u3 or higher, by adding the following command to the Dockerfile: RUN apt upgrade libcurl3-gnutls.
The package is associated with the technology Libcurl.
The package libcurl4 version 7.88.1-10+deb12u1 was detected in APT package manager on a container image running Debian 12.1 is vulnerable to CVE-2023-38039, which exists in versions < 7.88.1-10+deb12u3.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Source: Hacker1.
The vulnerability can be remediated by updating the package to version 7.88.1-10+deb12u3 or higher, by adding the following command to the Dockerfile: RUN apt upgrade libcurl4.
The package is associated with the technology Libcurl.
The package libnghttp2-14 version 1.52.0-1 was detected in APT package manager on a container image running Debian 12.1 is vulnerable to CVE-2023-44487, which exists in all current versions.
The vulnerability was found in the Official Debian Security Advisories with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Source: CISA Known Exploited Vulnerabilities Catalog.
This vulnerability cannot be remediated because a fix has not been released.
What Operating System are you using (both controller, and any agents involved in the problem)?
Running Jenkins on EKS 1.27 of helm-chart 4.8.1 image: "jenkins/jenkins" tag: "2.414.3-jdk11"
Reproduction steps
NA
Expected Results
no issues needs to be detected by wiz.
Actual Results
no issues needs to be detected by wiz.
Anything else?
No response
Please, see #1740 (comment) for the curl CVEs. The reports provided here looks really wrong:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w curl'
ii curl 7.88.1-10+deb12u4 arm64 command line tool for transferring data with URL syntax
Same, the OpenSSH report looks suspicious:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w openssh-client'
ii openssh-client 1:9.2p1-2+deb12u1 arm64 secure shell (SSH) client, for secure access to remote machines
Like the curl package, the image you mentioned ( jenkins/jenkins:2.414.3-jdk11) have the fixed packages, making the request not realistic.
You should check what your "wiz" (No idea what it is) tool is doing and checking but it looks like it's sending you false positives.
As for CVE-2023-44487, please check https://www.jenkins.io/security/advisory/2023-10-18/ which delivered the Jetty server with the patch for Jenkins.
There is a libnghttp2 (shared) library in the images but I can't find any proof of exploit due to this library. As per https://security-tracker.debian.org/tracker/CVE-2023-44487, there are NO fix for nghttp2 webserver but it is not installed.
I'm closing this issue as per: https://www.jenkins.io/security/reporting. You need to follow carefully these instruction to responsibly report any vulnerability.