Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cadence Server Image Contains Vulnerable Packages (CVE-2022-0778) #4803

Closed
WToma opened this issue Apr 25, 2022 · 4 comments · Fixed by #4804
Closed

Cadence Server Image Contains Vulnerable Packages (CVE-2022-0778) #4803

WToma opened this issue Apr 25, 2022 · 4 comments · Fixed by #4804

Comments

@WToma
Copy link
Contributor

WToma commented Apr 25, 2022

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

  • Server version: master branch
  • Client version: N/A
  • Client langauge: N/A

Describe the bug
Automated vulnerability scanner reports vulnerable OS package OpenSSL 1.1.1l, coming from Alpine-3.11. Vulnerabliity: https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0778. Fixed in 1.1.1n, which is included in Alpine-3.15.

To Reproduce
N/A

Steps to reproduce the behavior:
N/A

Expected behavior
N/A

Screenshots
N/A

Additional context
N/A
@WToma WToma mentioned this issue Apr 25, 2022
Merged
@WToma
Copy link
Contributor Author

WToma commented Apr 25, 2022

#4804

@sonpham96
Copy link
Contributor

Hi, PR #4804 might help fix CVE-2022-29458 and CVE-2021-39537 caused by ncurses 6.1_p20200118-r4 in Alpine Linux 3.11. There had been an attempt to fix it before (#4689) and it was released in Cadence Server v0.24.0. However, it looks like our vulnerability scanner (Twistlock) still pick it up. These CVEs are scored High and we need to resolve them as soon as possible to comply with our client's standards. Could this be released in the next release?

@vytautas-karpavicius
Copy link
Contributor

Hi, yes #4804 will be picked up in the next release.

@sonpham96
Copy link
Contributor

Hi, yes #4804 will be picked up in the next release.

Great! Thanks a lot for this! I have been able to built Cadence server image on local (on tag v0.24.0 but not much success for master though). Then, I ran the Twistlock scan and I can confirm that bumping alpine to alpine:3.15 is going to fix the following list of CVEs:

@sonpham96 sonpham96 mentioned this issue Dec 1, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update base image to Alpine 3.15 WToma/cadence
3 participants
@WToma @sonpham96 @vytautas-karpavicius