[bitnami/postgresql-repmgr] security scan flags runc (gosu) 1.1.0 CVE-2022-29162

[sleep-dragon]

Name and Version

bitnami/postgresql-repmgr:15.2.0-debian-11-r18

What architecture are you using?

amd64

What steps will reproduce the bug?

Trivy scan bitnami/postgresql-repmgr:15.2.0-debian-11-r18

Scanned Image: bitnami/postgresql-repmgr:15.2.0-debian-11-r18
Test Status: Image is non-compliant (failed on CI/CD pipeline)
==============================================================
Total: 2 (CRITICAL: 0, HIGH: 1, MEDIUM: 1, LOW: 0, NEGLIGIBLE: 12, SENSITIVE: 0, MALWARE: 0)

+--------------------------------+----------------+----------+-------------------+---------------+
|            RESOURCE            | VULNERABILITY  | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+--------------------------------+----------------+----------+-------------------+---------------+
| github.com/opencontainers/runc | CVE-2022-29162 | HIGH     | 1.1.0             | 1.1.2         |
+                                +----------------+----------+                   +---------------+
|                                | CVE-2022-24769 | MEDIUM   |                   |               |
+--------------------------------+----------------+----------+-------------------+---------------+

Resource: github.com/opencontainers/runc
File: /opt/bitnami/common/bin/gosu

What is the expected behavior?

How can we fix these vulnerabilities?

What do you see instead?

runc 1.1.0 CVE-2022-29162

Additional information

No response

[carrodher]

Hi, unfortunately, those security vulnerabilities are not fixed by the OS or the application itself, so although we built the images on a regular basis to provide the latest version of system packages, this kind of CVE will be reported while there is no new version patching the issue in the OS or the application. Here you can find more info about this topic.

The Bitnami Application Catalog (OpenSource) is based on Debian 11 but Bitnami, as part of VMware, provides a custom container and Helm Charts catalog based on the desired base image (generic distro such as Debian 10 & 11, CentOS 7, PhotonOS 3 & 4, Ubuntu 18.04, 20.04 & 22.04, RedHat UBI 8 & 9, or custom golden image) through the VMware Tanzu Application Catalog.

In this case, the one you are reporting is related to gosu. We are already including the latest version of Gosu which bundles runc 1.1.0, see https://github.com/tianon/gosu/releases/tag/1.16. You can ask Gosu maintainers to bump the runc version.

Although, according to this issue, CVE 2022-29162 doesn't affect gosu and that's the reason why they are not bumping the runc version. In this mentioned issue you can find a detailed explanation about this topic.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[carrodher]

Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22

bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-27561 │          │                   │ v1.1.5        │ runc: volume mount race condition (regression of           │
│                                │                │          │                   │               │ CVE-2019-19921)                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561                 │
│                                ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │ v1.1.2        │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

VS

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23

bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.