Vulnerabilities found in current stable docker image version v2.10.3
ivanol55 opened this issue · comments
Hello,
We found vulnerabilties in packages embedded in the image. The packages and CVE's found are:
┌─────────────────────────────┬────────────────┬──────────┬─────────────────┬─────────────┬───────────┬────────────┬──────────────────────────────────────────┬───────────────────────┐
│ Package │ CVE ID │ Severity │ Current Version │ Fix Version │ Namespace │ Status │ Introduced in Layer │ File Path │
├─────────────────────────────┼────────────────┼──────────┼─────────────────┼─────────────┼───────────┼────────────┼──────────────────────────────────────────┼───────────────────────┤
│ github.com/hashicorp/consul │ CVE-2021-37219 │ High │ v1.10.12 │ 1.11.0 │ go │ VULNERABLE │ set -ex; apkArch="$(apk --print-arch)"; │ usr/local/bin/traefik │
│ │ │ │ │ │ │ │ case "$apkArch" in armhf) arch='armv6' │ │
│ │ │ │ │ │ │ │ ;; aarch64) arch='arm64' ;; x86_64) │ │
│ │ │ │ │ │ │ │ arch='amd64' ;; s390x) arch='s390x' ;; │ │
│ │ │ │ │ │ │ │ *) echo >&2 "error: unsupported │ │
│ │ │ │ │ │ │ │ architecture: $apkArch"; exit 1 ;; esac; │ │
│ │ │ │ │ │ │ │ wget --quiet -O /tmp/traefik.tar.gz │ │
│ │ │ │ │ │ │ │ "https://github.com/traefik/traefik/rel- │ │
│ │ │ │ │ │ │ │ eases/download/v2.10.3/traefik_v2.10.3_- │ │
│ │ │ │ │ │ │ │ linux_$arch.tar.gz"; tar xzvf │ │
│ │ │ │ │ │ │ │ /tmp/traefik.tar.gz -C /usr/local/bin │ │
│ │ │ │ │ │ │ │ traefik; rm -f /tmp/traefik.tar.gz; │ │
│ │ │ │ │ │ │ │ chmod +x /usr/local/bin/traefik │ │
│ ├────────────────┼──────────┤ ├─────────────┤ │ │ │ │
│ │ CVE-2022-40716 │ Medium │ │ 1.13.2 │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
└─────────────────────────────┴────────────────┴──────────┴─────────────────┴─────────────┴───────────┴────────────┴──────────────────────────────────────────┴───────────────────────┘
Any chance we can patch these packages in the image to the latest version, or at least one with the fixes implemented? These are both fixed in version 1.13.2 of Consul.
Thank you in advance.
Best,
Iván
Hello,
we are not affected by those CVEs because they affect pieces of code that we don't use.
The Consul CVE is about the Consul server but we are only using the client API.
Also, the problem related to updating a dependency because of a false positive is the impact of transitive dependencies. For example, an update of Consul can produce an update of gRPC, but gRPC is known to break things between patch/minor versions.
Any update has side effects.
We are not the only ones that complain about false positives related to vulnerability scanning tools:
- https://github.com/anchore/grype/issues?q=is%3Aissue+false+positive+
- https://github.com/aquasecurity/trivy/issues?q=is%3Aissue+false+positive+
The core of the problem is that vulnerability scanning tools don't share the same knowledge.
The best solution is to have a shared, free, and open-source security database with a way to report false positives.
Without a global place to report false positives, no tool that only does dependency analysis can be guaranteed without false positives.
Please be sure that we analyze all the CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.