Critical CVEs found when scanning latest image

[MalteHei]

When scanning the latest version of the code-server image, our scanner found two critical CVEs:

• Image: ghcr.io/coder/code-server:4.105.1 (digest: sha256:2d48970bd2084aa34a522d772b6a437981ea80407465b3bf7958553985c570e1)
• Scanner: Trivy v0.58.2
• Critical CVEs:
  • CVE-2023-45853 in version 1:1.2.13.dfsg-1 of package zlib1g
  • CVE-2024-24790 in version v1.20.7 of package stdlib (fixed in versions 1.21.11, 1.22.4)

CVE-2024-24790 seems to be contained in every image flavour, not just debian

Due to our security policy, these CVEs block us from deploying code-server in our environment.
Is there any chance of updating these dependencies? (Or are they false-positives?)

[code-asher]

Hm these are system packages installed in the image? I will redeploy the Docker builds which should update everything.

Not sure why our nightly Trivy scan did not pick up anything 😢

[code-asher]

Oh wait CVE-2024-24790 did come up but it said it was for fixuid, and fixuid makes no network requests. I do not believe there is a new version of fixuid in any case.

CVE-2023-45853 does not seem to have come up before in our scans, but I checked debian:12 and the latest still seems to be zlib1g 1.2.13 so nothing we can update there either. Have not checked the other images yet.

[MalteHei]

Thanks for the quick response! I did some more scanning and came to the following conclusion:

• CVE-2024-24790 is a false-positive because while the affected gobinary, usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods.
• CVE-2023-45853 is an actual vulnerability, but it only applies to the debian flavour of code-server and can be bypassed by using another flavour like ubuntu.

Can you confirm?

[code-asher]

CVE-2024-24790 is a false-positive because while the affected gobinary, usr/local/bin/fixuid, uses a vulnerable version of go, it does not use any of the vulnerable methods.

Yup, exactly.

CVE-2023-45853 is an actual vulnerability, but it only applies to the debian flavour of code-server and can be bypassed by using another flavour like ubuntu.

No, looks like most flavors are affected. I went through them all and these have versions <= 1.3:

• debian:12 (zlib1g 1.2.13)
• ubuntu:focal (zlib1g 1.2.11)
• ubuntu:noble (zlib1g 1.3)
• fedora:39 (zlib 1.2.13)

The opensuse image does not appear to have zlib installed at all, so I suppose it is unaffected? I am not familiar with opensuse though, maybe I am using the package tool incorrectly.

[MalteHei]

No, looks like most flavors are affected.

My scans do not confirm this. Using a newer version of Trivy (0.67.2), I can only find false-positives (#6332) ...

code-server:4.105.1-focal

Command:

$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-focal -s CRITICAL --scanners=vuln --table-mode=detailed -q

Output:

Node.js (node-pkg)

Total: 4 (CRITICAL: 4)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed  │ 1.105.1           │ 4.10.1        │ code-server vulnerable to Missing Origin Validation in   │
│                            │                │          │        │                   │               │ WebSockets                                               │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-26114               │
├────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json)  │ CVE-2019-19919 │          │        │ 1.0.0             │ 4.3.0, 3.0.8  │ nodejs-handlebars: prototype pollution leading to remote │
│                            │                │          │        │                   │               │ code execution via crafted payloads                      │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-19919               │
│                            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23369 │          │        │                   │ 4.7.7         │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with strict:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23369               │
│                            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23383 │          │        │                   │               │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with compat:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23383               │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/fixuid (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ v1.20.7           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

code-server:4.105.1-noble

Command:

$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-noble -s CRITICAL --scanners=vuln --table-mode=detailed -q

Output:

Node.js (node-pkg)

Total: 4 (CRITICAL: 4)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed  │ 1.105.1           │ 4.10.1        │ code-server vulnerable to Missing Origin Validation in   │
│                            │                │          │        │                   │               │ WebSockets                                               │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-26114               │
├────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json)  │ CVE-2019-19919 │          │        │ 1.0.0             │ 4.3.0, 3.0.8  │ nodejs-handlebars: prototype pollution leading to remote │
│                            │                │          │        │                   │               │ code execution via crafted payloads                      │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-19919               │
│                            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23369 │          │        │                   │ 4.7.7         │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with strict:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23369               │
│                            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23383 │          │        │                   │               │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with compat:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23383               │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/fixuid (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ v1.20.7           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

code-server:4.105.1-fedora

Command:

$ podman run -it aquasec/trivy:0.67.2 image ghcr.io/coder/code-server:4.105.1-fedora -s CRITICAL --scanners=vuln --table-mode=detailed -q

Output:

Node.js (node-pkg)

Total: 4 (CRITICAL: 4)

┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed  │ 1.105.1           │ 4.10.1        │ code-server vulnerable to Missing Origin Validation in   │
│                            │                │          │        │                   │               │ WebSockets                                               │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-26114               │
├────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ handlebars (package.json)  │ CVE-2019-19919 │          │        │ 1.0.0             │ 4.3.0, 3.0.8  │ nodejs-handlebars: prototype pollution leading to remote │
│                            │                │          │        │                   │               │ code execution via crafted payloads                      │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-19919               │
│                            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23369 │          │        │                   │ 4.7.7         │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with strict:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23369               │
│                            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23383 │          │        │                   │               │ nodejs-handlebars: Remote code execution when compiling  │
│                            │                │          │        │                   │               │ untrusted compile templates with compat:true option...   │
│                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-23383               │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/fixuid (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ v1.20.7           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Am I missing something?

[code-asher]

Hmm I am not sure, all I did was run the container and check the package manager for what was installed. One example:

$ docker run --rm -it --entrypoint bash codercom/code-server:4.105.1-focal
$ apt show zlib1g
Package: zlib1g
Version: 1:1.2.11.dfsg-2ubuntu1.5
Status: install ok installed
Priority: required
Section: libs
Source: zlib
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Mark Brown <broonie@debian.org>
Installed-Size: 168 kB
Provides: libz1
Depends: libc6 (>= 2.14)
Conflicts: zlib1 (<= 1:1.0.4-7)
Breaks: libxml2 (<< 2.7.6.dfsg-2), texlive-binaries (<< 2009-12)
Homepage: http://zlib.net/
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: compression library - runtime
 zlib is a library implementing the deflate compression method found
 in gzip and PKZIP.  This package includes the shared library.

[code-asher]

Actually, looking at the CVE more closely, it says MiniZip in zlib and MiniZip is not a supported part of the zlib product so maybe this is something only Debian is including or something. If Trivy says everything is fine, that is probably true.

[code-asher]

Looking through madler/zlib#843 (comment) it seems like zlib being vulnerable in Debian is actually a false positive too.

The source code of that particular version of zlib has a vulnerability, but the vulnerable part isn't in the Debian package. The Debian binary for zlib doesn't contain the vulnerable code.