Vulnerability on mcr.microsoft.com/dotnet/aspnet:6.0 image (Digest:sha256:894c9f49ae9a72b64e61ef6071a33b6b616d0cf48ef25c83c4cf26d185f37565)

[DillionVVV]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

While doing the VA scan detected the below vulnerability:

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

We are using mcr.microsoft.com/dotnet/aspnet:6.0 image (Digest:sha256:894c9f49ae9a72b64e61ef6071a33b6b616d0cf48ef25c83c4cf26d185f37565) as MBS base pod image.

Expected Behavior

It should scan without any vulnerability

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

ASP.NET Core 6.0

Anything else?

No response

[martincostello]

Docker images are dealt with in the dotnet/dotnet-docker repository.

Information about how images are rebuilt to address vulnerabilities can be found in the repository README: https://github.com/dotnet/dotnet-docker?tab=readme-ov-file#cve-update-policy

[amcasey]

Hmm, that doesn't seem to be a repository we can just transfer this issue to. @DillionVVV can you please file a new issue against dotnet-docker if this vulnerability meets the bar described in the policy @martincostello linked? Thanks!