Can we apply the fixes for ELSA-2021-9528 and update the docker images?

Question

Can we apply the fixes for ELSA-2021-9528 and update the docker images?

jason-zg opened this issue 3 years ago · comments

✗ High severity vulnerability found in openssl-libs
Description: ELSA-2021-9528
Info: https://snyk.io/vuln/SNYK-ORACLE7-OPENSSLLIBS-1769087
Introduced through: openssl-libs@1:1.0.2k-22.el7_9
From: openssl-libs@1:1.0.2k-22.el7_9
Fixed in: 10:1.0.2k-22.el7_9_fips

Honglin Su · Answer 1 · Fri Dec 17 2021 04:10:13 GMT+0800 (China Standard Time)

The fix was released for Oracle Linux 7 on October 29, 2021.
https://linux.oracle.com/errata/ELSA-2021-9528.html

Jason · Answer 2 · Fri Dec 17 2021 10:58:53 GMT+0800 (China Standard Time)

The fix was released for Oracle Linux 7 on October 29, 2021. https://linux.oracle.com/errata/ELSA-2021-9528.html

Thanks, @honglinsu.
Updated the title of this to ask for fixing the severity vulnerability issue.

Sergio Leunissen · Answer 3 · Fri Dec 17 2021 17:10:04 GMT+0800 (China Standard Time)

Which container image are referring to? Do you have reason to believe these vulnerabilities are not fixed in that image?

ELSA-2021-9528 is for x86_64 (amd64) and references the CVEs:

The same CVEs are referenced by ELSA-2021-3798, which is for aarch64 (arm64v8).

According to the CHANGELOG, both ELSA-2021-3798 and both CVEs were addressed on 2021-10-13 for both amd64 and arm64v8.

Jason · Answer 4 · Fri Dec 17 2021 21:15:03 GMT+0800 (China Standard Time)

For example, oraclelinux:7 and oraclelinux:7-slim.

C:>docker scan oraclelinux:7
Testing oraclelinux:7...

✗ High severity vulnerability found in openssl-libs
Description: ELSA-2021-9528
Info: https://snyk.io/vuln/SNYK-ORACLE7-OPENSSLLIBS-1769087
Introduced through: openssl-libs@1:1.0.2k-22.el7_9
From: openssl-libs@1:1.0.2k-22.el7_9
Fixed in: 10:1.0.2k-22.el7_9_fips

C:>docker inspect oraclelinux:7
[
{
"Id": "sha256:72c478e5833d42136936ffe2d5c79bb3ca7ff5fa4a8a6fa7213ce5c985949a41",
"RepoTags": [
"oraclelinux:7"
],
"RepoDigests": [
"oraclelinux@sha256:d080617f306d29292c139ac5fe098092fe441e46f9968e86fb6f74777a8e1b51"
],
"Parent": "",
"Comment": "",
"Created": "2021-12-02T03:35:50.359879693Z",
"Container": "f74b58cd29ad93fb0482db66e47f3d7c62817e9508cb413632100e0c094f8079",
... ...

Sergio Leunissen · Answer 5 · Sat Dec 18 2021 00:52:10 GMT+0800 (China Standard Time)

This looks like an issue with the vulnerability scanner you are using. Here's what I'm seeing:

$ docker run -it oraclelinux:7
Unable to find image 'oraclelinux:7' locally
Trying to pull repository docker.io/library/oraclelinux ... 
7: Pulling from docker.io/library/oraclelinux
c8c090c3ad4a: Pull complete 
Digest: sha256:d080617f306d29292c139ac5fe098092fe441e46f9968e86fb6f74777a8e1b51
Status: Downloaded newer image for oraclelinux:7
[root@8ce8fd501b04 /]# rpm -qa | grep openssl-libs
openssl-libs-1.0.2k-22.el7_9.x86_64
[root@8ce8fd501b04 /]# rpm -q --changelog openssl-libs | grep CVE-2021-23840
- fix CVE-2021-23840 openssl: integer overflow in CipherUpdate
[root@8ce8fd501b04 /]# rpm -q --changelog openssl-libs | grep CVE-2021-23841
- fix CVE-2021-23841 openssl: NULL pointer dereference
[root@8ce8fd501b04 /]#

Sergio Leunissen · Answer 6 · Wed Dec 22 2021 06:22:15 GMT+0800 (China Standard Time)

Closing this issue. Please re-open if necessary.