Released 3.17.0 and 4.1.0 containing this fixe earlier today.

from sumologic-kubernetes-collection.

list of vulnerabilities

from sumologic-kubernetes-collection.

Hi Rajendra, thanks for creating the issue.

Are you sure the scan was performed correctly? For Helm Chart v3.16.2 we already use nginx-privileged:1.25.2-alpine as can be seen here:

from sumologic-kubernetes-collection.

I can corroborate what Rajendra is saying but also add some details as the problem is also in the updated 1.25.2 version.

It seems that public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine also has the newer CVE-2023-4863 / libwebp issue.

A Prisma scan shows this:

Image public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine
IDsha 256:d4de341be3aae88defd0b484928d44ecc5044cbd0295f31086ca885f60ab88d3
OS distributionAlpine Linux v3.18
OS release3.18.3
Digest sha256:af39a3d5091b93b8afc3420fdc35787d560578486790c1844767374d278014f1
Start time Oct 31, 2023 1:16:27 AM (2 days ago)

Type | Highest severity | Description
OS | critical | curl (used in libcurl, curl) version 8.2.1-r0 has 2 vulnerabilities
OS | high | nghttp2 (used in nghttp2-libs) version 1.55.1-r0 has 1 vulnerability
OS | high | libx11 version 1.8.4-r4 has 1 vulnerability
OS | high | libwebp version 1.3.1-r0 has 1 vulnerability

I also just did a trivy scan.

public.ecr.aws/sumologic/nginx-unprivileged:1.25.2-alpine (alpine 3.18.3)
Total: 7 (HIGH: 5, CRITICAL: 2)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ curl │ CVE-2023-38545 │ CRITICAL │ 8.2.1-r0 │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libcurl │ CVE-2023-38545 │ CRITICAL │ │ 8.4.0-r0 │ heap based buffer overflow in the SOCKS5 proxy
│ │ CVE-2023-38039 │ HIGH │ │ 8.3.0-r0 │ out of heap memory issue due to missing limit on header
│ libwebp │ CVE-2023-4863 │ │ 1.3.1-r0 │ 1.3.1-r1 │ Heap buffer overflow in WebP Codec │
│ libx11 │ CVE-2023-43787 │ │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap
│ nghttp2-libs │ CVE-2023-44487 │ │ 1.55.1-r0 │ 1.57.0-r0 │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │

I don't have an AWS ECR scan handy yet.

from sumologic-kubernetes-collection.

It looks like the issues in Alpine were patched in https://alpinelinux.org/posts/Alpine-3.18.4-released.html

main/libwebp: upgrade to 1.3.2
jane400 (1):
main/libwebp: patch CVE-2023-4863

Thanks for looking into this!

from sumologic-kubernetes-collection.

Did some more digging.
It looks like the fixes for all but the latest CVE's are in public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18

public.ecr.aws/nginx/nginx-unprivileged:1.25-alpine3.18 (alpine 3.18.4)

Total: 1 (HIGH: 1, CRITICAL: 0)
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
│ libx11 │ CVE-2023-43787 │ HIGH │ 1.8.4-r4 │ 1.8.7-r0 │ integer overflow in XCreateImage() leading to a heap │

There are other fixes on the way, but they might be delayed:
Update mainline NGINX to 1.25.3 #167
nginxinc/docker-nginx-unprivileged#167

It looks like it might take a few days+ to work out the latest changes.

Might it be worthwhile to put in a PR for tag: 1.25-alpine3.18 to get the latest updates if 1.25.3 might be delayed?

from sumologic-kubernetes-collection.

Hey, thank you both for the detailed investigation! I think we should just upgrade to whatever is available, since we wanted to issue new releases this week anyway. Once nginx gets 1.25.3 out, we can upgrade to that one separately.

One somewhat annoying thing about the nginx-unprivileged repository is that most (all?) of the tags move. What I ended up doing is simply rehosting the current 1.25.2-alpine image as 1.25.2-alpine-sumo-1 to indicate the change. My scanner shows the same output as yours @lreed-mdsol for this image.

from sumologic-kubernetes-collection.

Thanks for your help on this!!!
Do you plan to release a new version of the Helm chart soon?

from sumologic-kubernetes-collection.