Resolve Vulnerabilities in University Image

[codyharris-h2o-ai]

Hello!
As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.

The following vulnerabilities were scanned and found by using ECR. ECR scans are used in conjunction with Prisma scans to ensure we meet a high standard for software security.
We have suggestions on tooling to help improve the remediation process, following the vulnerability table below.
Note that we disregard the severity levels assigned by various tools and operate soley on CVSS to severity mapping in line with NIST guidelines.

Vulnerability	Severity	Image	Package	Description
CVE-2021-30473	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	aom:1.0.0.errata1	aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-30474	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	aom:1.0.0.errata1	aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.
CVE-2021-30475	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	aom:1.0.0.errata1	aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow.
CVE-2022-1253	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in comm[...]
CVE-2022-24963	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	apr:1.7.0	Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to writ[...]
CVE-2023-38408	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	openssh:8.4p1	The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code e[...]
CVE-2023-38545	critical	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	curl:7.74.0	This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name[...]
CVE-2020-21598	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a [...]
CVE-2020-22218	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libssh2:1.9.0	An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.
CVE-2020-22219	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	flac:1.3.3	Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via[...]
CVE-2020-29652	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remo[...]
CVE-2020-36131	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	aom:1.0.0.errata1	AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.
CVE-2020-36133	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	aom:1.0.0.errata1	AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.
CVE-2021-20309	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCo[...]
CVE-2021-33194	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via cra[...]
CVE-2021-33631	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.Th[...]
CVE-2021-3610	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/[...]
CVE-2021-36409	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which a[...]
CVE-2021-4204	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw al[...]
CVE-2021-43565	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH serv[...]
CVE-2022-1114	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggere[...]
CVE-2022-27191	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/crypto:v0.0.0-20201012173705-84dcc777aaee	The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in cert[...]
CVE-2022-27664	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection c[...]
CVE-2022-28463	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-29458	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	ncurses:6.2+20201114	ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c [...]
CVE-2022-3109	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	ffmpeg:4.3.5	An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_[...]
CVE-2022-32545	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned char' at coders[...]
CVE-2022-32546	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned long' at coders[...]
CVE-2022-32547	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	imagemagick:6.9.11.60+dfsg	In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', whi[...]
CVE-2022-41723	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/net:v0.0.0-20200822124328-c89045814202	A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of [...]
CVE-2022-4379	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an att[...]
CVE-2022-44617	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libxpm:3.5.12	A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called[...]
CVE-2022-46285	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libxpm:3.5.12	A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not [...]
CVE-2022-47655	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback
CVE-2022-47664	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qpel_pixels_8_sse
CVE-2022-47665	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)
CVE-2022-4883	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libxpm:3.5.12	A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and[...]
CVE-2023-0045	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  functi[...]
CVE-2023-0361	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	gnutls28:3.7.1	A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be suffi[...]
CVE-2023-0464	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	openssl:1.1.1n	A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certific[...]
CVE-2023-1380	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c[...]
CVE-2023-1999	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libwebp:0.6.1	There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through[...]
CVE-2023-2156	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results fro[...]
CVE-2023-21930	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	openjdk-11:11.0.18+10	Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported v[...]
CVE-2023-23946	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	git:2.30.2	Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7[...]
CVE-2023-2454	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	postgresql-13:13.9	schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an au[...]
CVE-2023-25434	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	tiff:4.2.0	libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.
CVE-2023-27103	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc[...]
CVE-2023-27534	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	curl:7.74.0	A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced w[...]
CVE-2023-29499	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	glib2.0:2.66.8	A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to [...]
CVE-2023-3138	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libx11:1.7.2	A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that[...]
CVE-2023-34241	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	cups:2.3.3op2	OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in[...]
CVE-2023-3567	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow[...]
CVE-2023-39197	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows[...]
CVE-2023-39325	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/net:v0.7.0 v0.0.0-20200822124328-c89045814202	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consump[...]
CVE-2023-39417	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	postgresql-13:13.9	IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema[...]
CVE-2023-43787	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libx11:1.7.2	A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user[...]
CVE-2023-43887	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the[...]
CVE-2023-44487	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	golang.org/x/net google.golang.org/grpc nghttp2:v0.0.0-20200822124328-c89045814202 v1.49.0 v0.7.0 1.43.0	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams[...]
CVE-2023-44488	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libvpx:1.9.0	VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.
CVE-2023-47038	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	perl:5.32.1	A vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an a[...]
CVE-2023-4863	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libwebp:0.6.1	Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform [...]
CVE-2023-4911	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	glibc:2.31	A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment var[...]
CVE-2023-49465	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction fun[...]
CVE-2023-49467	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_cand[...]
CVE-2023-49468	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libde265:1.0.8	Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.
CVE-2023-5217	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	libvpx:1.9.0	Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attac[...]
CVE-2023-52425	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	expat:2.2.10	libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case o[...]
CVE-2023-5869	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	postgresql-13:13.9	A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow check[...]
CVE-2024-0553	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	gnutls28:3.7.1	A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the re[...]
CVE-2024-0565	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-compo[...]
grep: (standard input): binary file matches
CVE-2024-0567	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	gnutls28:3.7.1	A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. Thi[...]
CVE-2024-0743	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	nss:3.61	An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Fi[...]
CVE-2024-0775	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	linux:5.10.162	A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local u[...]
CVE-2024-0985	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	postgresql-13:13.9	Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL fu[...]
CVE-2024-20918	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	openjdk-11:11.0.18+10	Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (compon[...]
CVE-2024-20952	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	openjdk-11:11.0.18+10	Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (compon[...]
CVE-2024-24762	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	starlette:0.32.0.post1	python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expressio[...]
GHSA-m425-mq94-257g	high	524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0	google.golang.org/grpc:v1.49.0	### Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subseq[...]

To resolve this, we recommend the following approach:

1. Install trivy (https://aquasecurity.github.io/trivy)
2. Scan the current version of the image using a command like trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
3. Validate that the CVEs are detected using trivy. The provided scans were taken using a different scanner (ECR), so the first step should be to validate that trivy can see them as well.
4. Iterate to resolve the vulnerabilities. trivy enables you to scan the image without pushing them, so it should help in finding the resolution
5. Test and publish the fix version, and let us know where we can find the fixed image(s) so we can validate the fixes on our side as well.

[mturoci]

@codyharris-h2o-ai most of these CVEs seem to come from base docker image (OS-level deps). Go CVEs will be addressed in #2294.

As for GHSA-2jv5-9r88-3w3p, Wave only forces minimum Starlette version meaning the latest (patched) one should be installable already.

[mturoci]

Closed by #2302.