Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scan issues #2477

Closed
ohadpinch opened this issue May 2, 2022 · 16 comments
Closed

Security scan issues #2477

ohadpinch opened this issue May 2, 2022 · 16 comments
Labels
component/registry priority/high Task

Comments

@ohadpinch
Copy link

<style> </style>

Those security issues found while scanning 2.2.3.Final

Vulnerability Description Recommendation
rhel:8 zlib CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 0:1.2.11-18.el8_5
github:java httpclient GHSA-7r82-7xv7-xcpj https://nvd.nist.gov/vuln/detail/CVE-2020-13956 4.5.13
github:java jackson-databind GHSA-57j2-w4cx-62h2 https://nvd.nist.gov/vuln/detail/CVE-2020-36518 2.12.6.1
github:java commons-io GHSA-gwrp-pvrq-jmwv https://nvd.nist.gov/vuln/detail/CVE-2021-29425 2.7
github:java jsoup GHSA-m72m-mhq2-9p6c https://nvd.nist.gov/vuln/detail/CVE-2021-37714 1.14.2
github:java netty-codec-http GHSA-wx5j-54mm-rqqq https://nvd.nist.gov/vuln/detail/CVE-2021-43797 4.1.71.Final
rhel:8 java-11-openjdk CVE-2022-21426 https://nvd.nist.gov/vuln/detail/CVE-2022-21426 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-devel CVE-2022-21426 https://nvd.nist.gov/vuln/detail/CVE-2022-21426 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-headless CVE-2022-21426 https://nvd.nist.gov/vuln/detail/CVE-2022-21426 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-devel CVE-2022-21434 https://nvd.nist.gov/vuln/detail/CVE-2022-21434 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk CVE-2022-21434 https://nvd.nist.gov/vuln/detail/CVE-2022-21434 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-headless CVE-2022-21434 https://nvd.nist.gov/vuln/detail/CVE-2022-21434 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk CVE-2022-21443 https://nvd.nist.gov/vuln/detail/CVE-2022-21443 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-devel CVE-2022-21443 https://nvd.nist.gov/vuln/detail/CVE-2022-21443 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-headless CVE-2022-21443 https://nvd.nist.gov/vuln/detail/CVE-2022-21443 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk CVE-2022-21476 https://nvd.nist.gov/vuln/detail/CVE-2022-21476 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-devel CVE-2022-21476 https://nvd.nist.gov/vuln/detail/CVE-2022-21476 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-headless CVE-2022-21476 https://nvd.nist.gov/vuln/detail/CVE-2022-21476 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk CVE-2022-21496 https://nvd.nist.gov/vuln/detail/CVE-2022-21496 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-devel CVE-2022-21496 https://nvd.nist.gov/vuln/detail/CVE-2022-21496 1:11.0.15.0.9-2.el8_5
rhel:8 java-11-openjdk-headless CVE-2022-21496 https://nvd.nist.gov/vuln/detail/CVE-2022-21496 1:11.0.15.0.9-2.el8_5
@EricWittmann
Copy link
Member

I suspect most of these will be fixed by upgrading Quarkus, which we should be doing shortly. CC @carlesarnal

@tomasAlabes
Copy link
Contributor

What about this one? Found on: 2.2.3.Final. Couldn't find any reference in the release notes for the newer ones.

Issue Description: HIGH Vulnerability found in non-os package type (java) - /deployments/lib/com.ibm.async.asyncutil-0.1.0.jar:asyncutil (cvss_v3_base_score=7.8)(CVE-2021-43138 - https://nvd.nist.gov/vuln/detail/CVE-2021-43138)
Package path: /deployments/lib/com.ibm.async.asyncutil-0.1.0.jar:asyncutil
Severity: HIGH
CVSS_V3_Base_Score: 7.8
Advisory_Name: CVE-2021-43138
Advisory_Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Type: vulnerabilities(package)

@tomasAlabes
Copy link
Contributor

@EricWittmann @carlesarnal any update on this findings?

@EricWittmann
Copy link
Member

We are in the process of integrating security scanning into our normal process. @andreaTP thoughts?

@andreaTP
Copy link
Member

I see two kind of issues reported here:

  • base image vulnerabilities -> will be solved by using latest ubi base image
  • quarkus/libraries -> we should bump to the latest LTS of Quarkus and eventually check for the remaining issues with jar packages (e.g. bumping direct dependencies of the project in case)

Before the next release we can:

  • build the docker image
  • run one or more automatic scanners
  • check the result and eventually update dependencies versions

@EricWittmann
Copy link
Member

I agree with one caveat - when we productize registry we'll need to align to a RHBoQ (Red Hat Build of Quarkus). So we need to make sure we align upstream to the right version.

@tomasAlabes
Copy link
Contributor

For 2.2.5.Final our systems pick up this vulnerability:

Issue Description: HIGH Vulnerability found in non-os package type (java) - /deployments/lib/io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.21.0.jar (cvss_v3_base_score=8.8)(CVE-2018-15529 - https://nvd.nist.gov/vuln/detail/CVE-2018-15529)
Package path: /deployments/lib/io.smallrye.reactive.smallrye-mutiny-vertx-web-2.21.0.jar
Severity: HIGH
CVSS_V3_Base_Score: 8.8
Advisory_Name: CVE-2018-15529
Advisory_Link: https://nvd.nist.gov/vuln/detail/CVE-2018-15529

@andreaTP
Copy link
Member

@tomasAlabes can you share which code-scanning tool are you using?

@tomasAlabes
Copy link
Contributor

Sorry, I was completely sure I answered this. This vulnerability in particular was found by Anchore. But we use several scanning tools.

@tomasAlabes
Copy link
Contributor

tomasAlabes commented Oct 11, 2022 via email

@tomasAlabes
Copy link
Contributor

Found security issues in 2.3.1.Final:

ANCHORE:CVE-2022-42004+com.fasterxml.jackson.core.jackson-databind-2.13.3.jar

ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.mutiny-1.4.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-core-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.21.0.jar

ANCHORE:GHSA-h4h5-3hr4-j3g2+com.google.protobuf.protobuf-java-3.21.6.jar
ANCHORE:GHSA-rgv9-q543-rqg4+com.fasterxml.jackson.core.jackson-databind-2.13.3.jar

@andreaTP, is there a plan to tackle these?

@EricWittmann
Copy link
Member

We released 2.4.0.Final recently (the container images failed to build but we are correcting that soon). These security issues should be addressed in that version. Most of them are inherited from Quarkus, which we have upgraded in the latest version.

@tomasAlabes
Copy link
Contributor

tomasAlabes commented Dec 27, 2022
edited

Still seeing vulnerabilities in 2.4.1.Final:

ANCHORE: GHSA-9895-g6x5-xwcp - io.quarkus.quarkus-vertx-http-2.14.0.Final.jar:quarkus-vertx-http
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-core-2.27.0.jar
ANCHORE: GHSA-mjmj-j48q-9wg2 - org.yaml.snakeyaml-1.33.jar:snakeyaml
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.mutiny-1.7.0.jar:mutiny
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.mutiny-1.7.0.jar:mutiny
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: GHSA-fx2c-96vj-985v - io.netty.netty-codec-haproxy-4.1.82.Final.jar:netty-codec-haproxy
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-core-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.27.0.jar
ANCHORE: CVE-2022-3734 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.27.0.jar

@tomasAlabes
Copy link
Contributor

Hi @EricWittmann, this is the number 1 reason why we're planning to drop Apicurio. Security should be a priority.
I hope at least these vulnerabilities will be fixed soon. Thank you

@EricWittmann
Copy link
Member

I was working on this today actually. We struggle with this because we inherit a lot of our CVEs from Quarkus and our Docker base image. I've upgraded Quarkus to a newer patch version, which has resolved some of the CVEs. We can't always easily upgrade to the latest Quarkus minor release due to productization processes at Red Hat.

We'll keep working on getting better at this. Your criticism is fair.

@carlesarnal
Copy link
Member

We're doing a much better job on this now as can be seen in our security scanning both on GH and on Quay. Also, thanks to the introduction of LTS versions in Quarku we're in a much better position for the future as well. Closing this as the result.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/registry priority/high Task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tomasAlabes @EricWittmann @andreaTP @carlesarnal @ohadpinch