Fix CVE with libexpat on alpine

Question

Fix CVE with libexpat on alpine

Closed this issue 7 months ago · 6 comments

benconda commented 7 months ago

Describe the bug

Hello, using trivy analyser on nginx alpine image report critical, fixed CVE on libexpat.

To reproduce

Steps to reproduce the behavior:

Install Trivy
Run trivy image --ignore-unfixed --severity CRITICAL --no-progress nginx:alpine

Expected behavior

This is fixed in alpine images, can you update nginx (and unpriviledge one) images with updated libexpat lib?

Additional information

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2024-45490 │ CRITICAL │ fixed  │ 2.6.2-r0          │ 2.6.3-r0      │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│          ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2024-45491 │          │        │                   │               │ libexpat: Integer Overflow or Wraparound                    │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│          ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2024-45492 │          │        │                   │               │ libexpat: integer overflow                                  │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Thank you.

Answer 1 · 2024-09-06T09:05:10.000Z

We have the same problem at the moment.

Answer 2 · 2024-09-06T10:31:37.000Z

@benconda libexpat is a part of the base operating system. And https://hub.docker.com/_/nginx is part of https://github.com/docker-library/official-images/ which are built by Docker Inc.
You can raise an issue with official-images for images to be rebuilt.

Answer 3 · 2024-09-06T11:34:23.000Z

Hi, is it the same for the https://hub.docker.com/r/nginxinc/nginx-unprivileged image ? This one is impacted too.

Answer 4 · 2024-09-06T11:44:35.000Z

nginx-unprivileged is not a part of official images (I know, it's confusing a bit...) and for it an issue should be raised at https://github.com/nginxinc/docker-nginx-unprivileged

Answer 5 · 2024-09-09T08:17:39.000Z

@benconda It seems that this issue was fixes in alpine 3.20.3. These tags of nginxinc/nginx-unprivileged contain the fix:

Answer 6 · 2024-09-09T13:03:09.000Z

Thanks, it's indeed fixed on latest build. Let's close this issue.