Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image has CVE security issues #168

Closed
csantanapr opened this issue May 7, 2021 · 1 comment · Fixed by #170
Closed

Image has CVE security issues #168

csantanapr opened this issue May 7, 2021 · 1 comment · Fixed by #170

Comments

@csantanapr
Copy link
Contributor

While using the Cloud Native Toolkit to run a pipeline we use trivy to scan the images

And the report came back with 6 critical CVEs to address

Trivy Security Scan image in registry
/var/oci/image (debian 10.9)
============================
Total: 214 (UNKNOWN: 0, LOW: 150, MEDIUM: 20, HIGH: 38, CRITICAL: 6)

The 6 critical issues are the following that need to be fix

Total: 6 (CRITICAL: 6)

+----------------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |                URL                 |
+----------------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
| libgnutls30          | CVE-2021-20231   | CRITICAL | 3.6.7-4+deb10u6   |               | gnutls: Use after free in      | avd.aquasec.com/nvd/cve-2021-20231 |
|                      |                  |          |                   |               | client key_share extension     |                                    |
+                      +------------------+          +                   +---------------+--------------------------------+------------------------------------+
|                      | CVE-2021-20232   |          |                   |               | gnutls: Use after free         | avd.aquasec.com/nvd/cve-2021-20232 |
|                      |                  |          |                   |               | in client_send_params in       |                                    |
|                      |                  |          |                   |               | lib/ext/pre_shared_key.c       |                                    |
+----------------------+------------------+          +-------------------+---------------+--------------------------------+------------------------------------+
| libpython2.7-minimal | CVE-2021-3177    |          | 2.7.16-2+deb10u1  |               | python: Stack-based buffer     | avd.aquasec.com/nvd/cve-2021-3177  |
|                      |                  |          |                   |               | overflow in PyCArg_repr in     |                                    |
|                      |                  |          |                   |               | _ctypes/callproc.c             |                                    |
+----------------------+                  +          +                   +---------------+                                +                                    +
| libpython2.7-stdlib  |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
+----------------------+                  +          +                   +---------------+                                +                                    +
| python2.7            |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
+----------------------+                  +          +                   +---------------+                                +                                    +
| python2.7-minimal    |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
|                      |                  |          |                   |               |                                |                                    |
+----------------------+------------------+----------+-------------------+---------------+--------------------------------+------------------------------------+
xuhdev added a commit that referenced this issue May 7, 2021
@xuhdev
Bump max-base to v1.5.0
396ae54 
Close #168
@xuhdev xuhdev mentioned this issue May 7, 2021
Merged
xuhdev added a commit that referenced this issue May 11, 2021
@xuhdev
Bump max-base to v1.5.0
e650222 
Close #168
xuhdev added a commit that referenced this issue May 11, 2021
@xuhdev
Bump max-base to v1.5.0
009b2cd 
Close #168
xuhdev added a commit that referenced this issue May 11, 2021
@xuhdev
Bump max-base to v1.5.0
11ecb2e 
Close #168
xuhdev added a commit that referenced this issue May 12, 2021
@xuhdev
Bump max-base to v1.5.0 (#170)
97c44c6 
* Bump max-base to v1.5.0

Close #168

* Change version to 1.5.0
@csantanapr
Copy link
Contributor Author

Hi
I just ran the trivy scanner now and is still finding same 6 Critical issues

trivy i -s CRITICAL ai
2021-05-24T20:19:57.780-0400	INFO	Detected OS: debian
2021-05-24T20:19:57.780-0400	INFO	Detecting Debian vulnerabilities...
2021-05-24T20:19:57.793-0400	INFO	Number of PL dependency files: 0

ai (debian 10.9)
================
Total: 6 (CRITICAL: 6)

+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libgnutls30          | CVE-2021-20231   | CRITICAL | 3.6.7-4+deb10u6   |               | gnutls: Use after free in             |
|                      |                  |          |                   |               | client key_share extension            |
|                      |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-20231 |
+                      +------------------+          +                   +---------------+---------------------------------------+
|                      | CVE-2021-20232   |          |                   |               | gnutls: Use after free                |
|                      |                  |          |                   |               | in client_send_params in              |
|                      |                  |          |                   |               | lib/ext/pre_shared_key.c              |
|                      |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-20232 |
+----------------------+------------------+          +-------------------+---------------+---------------------------------------+
| libpython2.7-minimal | CVE-2021-3177    |          | 2.7.16-2+deb10u1  |               | python: Stack-based buffer overflow   |
|                      |                  |          |                   |               | in PyCArg_repr in _ctypes/callproc.c  |
|                      |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3177  |
+----------------------+                  +          +                   +---------------+                                       +
| libpython2.7-stdlib  |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
+----------------------+                  +          +                   +---------------+                                       +
| python2.7            |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
+----------------------+                  +          +                   +---------------+                                       +
| python2.7-minimal    |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
|                      |                  |          |                   |               |                                       |
+----------------------+------------------+----------+-------------------+---------------+---------------------------------------+

@csantanapr csantanapr mentioned this issue May 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump max-base to v1.5.0 IBM/MAX-Object-Detector
1 participant
@csantanapr