Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code #1929

Closed
mikailyetkin opened this issue Dec 15, 2022 · 7 comments
Closed

Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code #1929

mikailyetkin opened this issue Dec 15, 2022 · 7 comments
Labels
Stale

Comments

@mikailyetkin
Copy link

Busybox version earlier than 1.35.0 has CVE-2022-28391 vulnerability. This has been fixed in alpine 3.16. I tried to upgrade oauth2-proxy to v7.4.0 to get rid of this CVE. But our scanner tool was still reporting that CVE. As per the Dockerfile of the v7.4.0 i can see the base image is set as alpine:3.16. However when i run the docker containter for oauth2-proxy:v7.4.0 and check the os-release i saw it is set to 3.15.16. To my understanding it should be using alpine:3.16. Is there anything i am missing it or this is a bug ?

Expected Behavior

The alpine image used in v7.4.0 should be 3.16

Current Behavior

The alpine image used in v7.4.0 is 3.15.16

Steps to Reproduce (for bugs)

  1. Run docker container with command docker run --rm -it quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 --client-secret=1111111111111111 --cookie-secret=1111111111111111 --client-id=gatekeeper --email-domain=xxxx.com
  2. Open another window to start a new bash terminal on the running docker container (docker exec -u 0 -it running_container_id /bin/sh ),
  3. Then check the release info of the container via cat /etc/os-release

Context

Trying to get rid of busybox CVEs which are present on the alpine version 3.15. If we make sure oauth2-proxy:v7.4.0 is running on alpine 3.16 then the CVEs will disapper from the vulnerability scan reports.

  • Version used: v7.4.0
@JoelSpeed
Copy link
Member

Not a clue why it's built with the wrong image, everything in the dockerfile is and was correct at the time the release was published so this is very very odd. Have you tried rebuilding the images yourself to see if you get the same result?

@mikailyetkin
Copy link
Author

Not a clue why it's built with the wrong image, everything in the dockerfile is and was correct at the time the release was published so this is very very odd. Have you tried rebuilding the images yourself to see if you get the same result?

yes i have built the image and it s using alpine@3.16 and CVE is fixed there. So i have published it to our local repository and currently using it from there until the new official version release.

@miguelborges99
Copy link
Contributor

In the makefile, it is still the alpine 3.15, could this have some influence?

oauth2-proxy/Makefile

Line 43 in f753ec1

DOCKER_BUILD_RUNTIME_IMAGE ?= alpine:3.15

@JoelSpeed
Copy link
Member

Damn yes, @miguelborges99 that's exactly the issue, we need to get that updated as well

@whiskeysierra
Copy link

whiskeysierra commented Feb 9, 2023
edited

Any chance this upgrade can also include updates to some CVEs that have fixed versions available?

trivy image --ignore-unfixed --scanners vuln quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
2023-02-10T00:33:23.589+0100	INFO	Vulnerability scanning is enabled
2023-02-10T00:33:25.760+0100	INFO	Detected OS: alpine
2023-02-10T00:33:25.760+0100	INFO	Detecting Alpine vulnerabilities...
2023-02-10T00:33:25.761+0100	INFO	Number of language-specific files: 1
2023-02-10T00:33:25.761+0100	INFO	Detecting gobinary vulnerabilities...

quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 (alpine 3.15.6)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)

┌──────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2023-0286 │ HIGH     │ 1.1.1q-r0         │ 1.1.1t-r0     │ There is a type confusion vulnerability relating to X.400  │
│              │               │          │                   │               │ address proc ......                                        │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┼──────────┤                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304 │ MEDIUM   │                   │               │ A timing based side channel exists in the OpenSSL RSA      │
│              │               │          │                   │               │ Decryption imple...                                        │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4450 │          │                   │               │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│              │               │          │                   │               │ and parses...                                              │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │                   │               │ The public API function BIO_new_NDEF is a helper function  │
│              │               │          │                   │               │ used for str...                                            │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
├──────────────┼───────────────┼──────────┤                   │               ├────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2023-0286 │ HIGH     │                   │               │ There is a type confusion vulnerability relating to X.400  │
│              │               │          │                   │               │ address proc ......                                        │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├───────────────┼──────────┤                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304 │ MEDIUM   │                   │               │ A timing based side channel exists in the OpenSSL RSA      │
│              │               │          │                   │               │ Decryption imple...                                        │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4450 │          │                   │               │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│              │               │          │                   │               │ and parses...                                              │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├───────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215 │          │                   │               │ The public API function BIO_new_NDEF is a helper function  │
│              │               │          │                   │               │ used for str...                                            │
│              │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
└──────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

bin/oauth2-proxy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │            Fixed Version            │                          Title                           │
├──────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41721 │ HIGH     │ v0.1.0            │ 0.1.1-0.20221104162952-702349b0e862 │ A request smuggling attack is possible when using        │
│                  │                │          │                   │                                     │ MaxBytesHandler. Whe ...                                 │
│                  │                │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721               │
│                  ├────────────────┼──────────┤                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│                  │ CVE-2022-41717 │ MEDIUM   │                   │ 0.4.0                               │ golang: net/http: An attacker can cause excessive memory │
│                  │                │          │                   │                                     │ growth in a Go...                                        │
│                  │                │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41717               │
└──────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────┘

See also alpinelinux/docker-alpine#301

@miguelborges99 miguelborges99 mentioned this issue Feb 12, 2023
Merged
3 tasks
@lathspell lathspell mentioned this issue Feb 13, 2023
Closed
@JoelSpeed
Copy link
Member

#2013 just merged which I believe should resolve the vulnerabilities, but we should look make sure the fixed CVEs are noted in the changelog as part of the release

@github-actions
Copy link
Contributor

github-actions bot commented May 5, 2023

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@github-actions github-actions bot added the Stale label May 5, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@whiskeysierra @JoelSpeed @miguelborges99 @mikailyetkin