nginx/docker-nginx-unprivileged

Update image to mitigate CVE-2023-44487 vulnerability

Closed this issue · 3 comments

atilsensalduz commented

We have identified that latest docker-nginx-unprivileged:stable-alpine image affected by this vulnerability, potentially posing a security risk. To address this, we need to update the Docker image to a version that includes the necessary fixes to mitigate CVE-2023-44487. Could you please update nginx package version to mitigate that vulnerability?

nginxinc/nginx-unprivileged:stable-alpine (alpine 3.18.4)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363  │ MEDIUM   │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ Incorrect cipher key and IV length processing                │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                    │
├────────────┤                │          │        │                   │               │                                                              │
│ libssl3    │                │          │        │                   │               │                                                              │
│            │                │          │        │                   │               │                                                              │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ nginx      │ CVE-2023-44487 │ HIGH     │        │ 1.24.0-r1         │ 1.24.0-r7     │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│            │                │          │        │                   │               │ attack (Rapid...                                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
abscondment commented

I took a look at opening a PR to change the stable images to 1.24.0-r7, but updating PKG_RELEASE to 7 caused some unexpected changes that made the rest of the docker build fail. Configuration directories/files seem to have been relocated between these releases, so it seems like it might be a breaking change for many users.

bebosudo commented

Any update on this effort?

alessfg commented

Yep! Although it might not be the one you were looking for. There are no active plans to release patches to specifically address this CVE in the stable branch. The CVE only comes into play in certain NGINX HTTP/2 configurations, and as such we are recommending users tweak their config instead per the instructions here (https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/).

If you want a "patched" version of NGINX (it's more of a system stability update than a "patch"), I would suggest switching from the stable to the mainline branch.

Alternatively, feel free to use the Alpine NGINX package (that's the 1.24.0-r7 package you are seeing as being fixed) instead of the one built by us (which is still at 1.24.0-r1).