Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update alpine to fix security vulnerabilities #362

Closed
wants to merge 1 commit into from
Closed

Update alpine to fix security vulnerabilities #362

wants to merge 1 commit into from

Conversation

tunguyen9889
Copy link

@tunguyen9889 tunguyen9889 commented Sep 14, 2023
edited

I have built the test image locally and scanned with Trivy:

➜  alpine git:(update-alpine-image) docker build --platform linux/amd64 -t fluentd:v1.16.2-1.1 .
[+] Building 306.7s (10/10) FINISHED                                                          docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                          0.0s
 => => transferring dockerfile: 1.59kB                                                                        0.0s
 => [internal] load .dockerignore                                                                             0.0s
 => => transferring context: 2B                                                                               0.0s
 => [internal] load metadata for docker.io/library/alpine:3.18                                                1.7s
 => [1/5] FROM docker.io/library/alpine:3.18@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4  0.0s
 => => resolve docker.io/library/alpine:3.18@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4  0.0s
 => => sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a 1.64kB / 1.64kB                0.0s
 => => sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 528B / 528B                    0.0s
 => => sha256:7e01a0d0a1dcd9e539f8e9bbd80106d59efbdf97293b3d38f5d7a34501526cdb 1.47kB / 1.47kB                0.0s
 => [internal] load build context                                                                             0.0s
 => => transferring context: 1.39kB                                                                           0.0s
 => [2/5] RUN apk update  && apk add --no-cache         ca-certificates         ruby ruby-irb ruby-etc rub  304.3s
 => [3/5] RUN addgroup -S fluent && adduser -S -G fluent fluent     && mkdir -p /fluentd/log     && mkdir -p  0.3s
 => [4/5] COPY fluent.conf /fluentd/etc/                                                                      0.0s
 => [5/5] COPY entrypoint.sh /bin/                                                                            0.0s
 => exporting to image                                                                                        0.2s
 => => exporting layers                                                                                       0.2s
 => => writing image sha256:698495ed440aa2a784dc3486295456240edde58bfa5d8ddc4561e740b1a4717f                  0.0s
 => => naming to docker.io/library/fluentd:v1.16.2-1.1                                                        0.0s

What's Next?
  View summary of image vulnerabilities and recommendations → docker scout quickview
➜  alpine git:(update-alpine-image) docker run --platform linux/amd64 --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --format table --ignore-unfixed --no-progress --exit-code 0 --offline-scan --timeout 15m fluentd:v1.16.2-1.1
2023-09-14T00:32:48.840Z        INFO    Need to update DB
2023-09-14T00:32:48.842Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-09-14T00:32:48.842Z        INFO    Downloading DB...
2023-09-14T00:32:57.696Z        INFO    Vulnerability scanning is enabled
2023-09-14T00:32:57.697Z        INFO    Secret scanning is enabled
2023-09-14T00:32:57.698Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-14T00:32:57.698Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-14T00:32:59.366Z        INFO    JAR files found
2023-09-14T00:32:59.367Z        INFO    Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-09-14T00:32:59.367Z        INFO    Downloading the Java DB...
2023-09-14T00:33:58.826Z        INFO    The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-09-14T00:33:58.851Z        INFO    Analyzing JAR files takes a while...
2023-09-14T00:33:58.971Z        INFO    Detected OS: alpine
2023-09-14T00:33:58.971Z        INFO    Detecting Alpine vulnerabilities...
2023-09-14T00:33:58.993Z        INFO    Number of language-specific files: 1
2023-09-14T00:33:58.993Z        INFO    Detecting gemspec vulnerabilities...

fluentd:v1.16.2-1.1 (alpine 3.18.3)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@tunguyen9889
Update alpine to fix security vulnerabilities
323b61b 
Signed-off-by: James Nguyen <tunguyen9889@users.noreply.github.com>
@tunguyen9889 tunguyen9889 mentioned this pull request Sep 14, 2023
Closed
@ashie
Copy link
Member

ashie commented Sep 20, 2023

Thanks for your report, but we intentionally pinned alpine 3.17 to use Ruby 3.1 in v1.16 series.
Since 3.17 is still maintained, we just need to rebuild the image to use latest alpine 3.17.
The latest version of Alpine is 3.17.5 which includes fixes for CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817:

https://www.alpinelinux.org/posts/Alpine-3.15.10-3.16.7-3.17.5-3.18.3-released.html

I'll rebuild images. Please wait for a while.

@ashie ashie closed this Sep 20, 2023
@tunguyen9889 tunguyen9889 deleted the update-alpine-image branch September 21, 2023 21:58
@sparrowt
Copy link

Interestingly CVE-2022-48174 has only been patched in alpine 3.18 and not 3.17 - for some reason it wasn't listed in the alpine release notes but alpinelinux/aports@9c8b9a4 explains and comparing these 2:
https://github.com/alpinelinux/aports/blob/3.17-stable/main/busybox/APKBUILD doesn't mention the cve
https://github.com/alpinelinux/aports/blob/3.18-stable/main/busybox/APKBUILD listed as fixed
and these 2:
https://pkgs.alpinelinux.org/packages?name=busybox&branch=v3.17&repo=&arch=&maintainer= version 1.35.0-r29 (Nov'22)
https://pkgs.alpinelinux.org/packages?name=busybox&branch=v3.18&repo=&arch=&maintainer= version 1.36.1-r2 (Jul'23)

I guess this is an alpine issue, but it does flag a potential impetus for switching to 3.18

@ashie
Copy link
Member

ashie commented Sep 29, 2023

According to CVE-2022-48174, this vulnerability affects busybox less than 1.35, 1.35 or after aren't affected.

@ashie
Copy link
Member

ashie commented Sep 29, 2023

One more reference: https://security.alpinelinux.org/vuln/CVE-2022-48174

@ashie ashie mentioned this pull request Oct 23, 2023
Closed
@sparrowt
Copy link

Yes, sadly I think that version range is incorrect, as is not unusual on CVEs.

alpinelinux/aports@9c8b9a4 and the linked alpinelinux/aports@5edf635 are when the fix landed in alpine which AFAICS is only in 3.18

https://bugs.busybox.net/show_bug.cgi?id=15216 was reported on 2022-12-28 which is after the 'Build date' of the 1.35-based version which is in alpine 3.17 https://pkgs.alpinelinux.org/packages?name=busybox&branch=v3.17&repo=&arch=&maintainer= so I don't think it's possible for the fix to have been in that build, which fits with the trail in aports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tunguyen9889 @ashie @sparrowt